In October, security firm Imperva reported on a DDoS attack through a somewhat unusual medium. Over 900 CCTV cameras were infected with a variant of a known malware program, and used to flood a cloud service with HTTP requests. The attack peaked at over 20,000 requests per second, according to Computer World.
You’ll probably be unsurprised to learn that, of the CCTV cameras compromised in the attack, exactly none of them were properly secured. On the contrary, the vast majority were easily accessible through Telnet or SSH, and all were protected by either default or weak credentials. In other words, they were easy prey for an enterprising hacker.
If this news doesn’t have you at least a little wary, you simply haven’t been paying attention. Because those CCTV cameras? They aren’t an isolated case where a company goofed and failed to properly secure its devices.
As a matter of fact, they’re more or less the norm. See, the issue with devices like fridges and thermostats is that they’re manufactured by companies that traditionally lack security expertise. Unlike, say, a software development firm or a Silicon Valley tech company, they aren’t really aware of the risks facing a connected device in the wild.
Pair that with the fact that there currently exist no meaningful regulatory penalties for an improperly-secured IoT device, and you’ve got the perfect cocktail for a security disaster. Worse still, according to Juniper Research, the number of connected devices in the world will reach over 38 billion by 2020. If even a fraction of those devices are improperly secured (and if current trends are any indication, more than a faction will be), that has the potential to pave the way for botnets of nearly unfathomable size.
As an aside, it isn’t just DDoS attacks that we’ll need to worry about in the coming connected future. As we bring more and more of our critical infrastructure online – from hospital tech to power and water – the possibility of a domino effect bringing everything crashing down grows significantly higher. Botnets, in other words, could be the least of our concerns.
“Security on IoT devices is not evolved and is not a top agenda item for developers,” writes Carl Weinschenk of IT Business Edge. “IoT developers also have to keep things as inexpensive as possible, and security may be one area in which they look to cut costs. This is a real danger: Many of the functions that the IoT devices will provide – such as monitoring heart patients and keeping tabs on the security of power plants – make it dangerous for them to be offline for extended periods of time.”
Granted, regulators and security experts alike are well aware of this problem, and working hard at trying to find a solution – especially given the critical risks. With all the legislation, liability concerns, and technical complexities to navigate, it’s going to be a long road, however. In the meantime, you’d best prepare yourself.
Botnets are about to get a whole lot bigger, and you need to be ready to mitigate the attacks they’ll be used to launch.