A few years ago, just as the 'Internet of Things' (IoT) was starting to take shape, some of us in the cyber security community joked that in future our toasters would be able to take down our banks.
Within the last few weeks that joke has become a reality. In September security researcher, Brian Krebs, had his website Krebs on Security taken offline by the largest Distributed Denial of Service (DDoS) attack yet seen. A short while later and French Internet hosting company, OVH, was struck by an even bigger attack. And, last Friday, DNS service Dyn - essentially an internet 'phone book' which directs users to websites - also fell victim to an attack in which "tens of millions" of different internet addresses bombarded the company's servers with excessive data, causing popular sites like Twitter, Spotify and Reddit to go offline.
The size of attacks has increased exponentially, thanks to the cyber criminals making use of the IoT. These devices are typically designed to be quick and cheap to produce, and have very poor levels of security. Essentially stripped-down versions of your home computer, many have very simple or default administrator username and password combinations, or use standard encryption tools where the 'key' is widely available on the internet. Many have no security features at all. The end user can do little to prevent their use by cyber criminals and hackers, even if they were to become aware that their device has been compromised.
The risk posed is now a legitimate threat. With some estimates putting the number of IoT devices as high as 50 billion by 2020, the capacity for widespread disruption is now achievable - the OVH attack only required around 150,000 devices, mainly personal Digital Video Recorders (DVRs). To complicate matters further the malware used for undertaking attacks, called 'Mirai', was released online for others to use. The result has been a doubling in size of the number of infected devices in a couple of weeks.
We're now entering the golden age of DDoS. The capacity to undertake attacks could well exceed the ability to fend them off, and whilst DDoS has been an irritant for some time it now poses a genuine threat to online services, including critical national infrastructure. It's now conceivable that DDoS could be used as a 'first strike' in destabilising a country and, as evidenced by the recent cyber attack on French TV channel, TV5Monde, used as part of a wider attack. How would a country cope if large financial, government and media institutions were taken offline for several days?
Immediate action is required to limit the threat. 'Scrubbing' services, which help fend off attacks, need to upgrade their capabilities. Serious thought should be given to regulating IoT gadgets - for example, companies having to pass their goods through an approved security accreditation. Cars were made safer through crash testing, and we may need to see similar legislation for the sale of IoT devices. We should even question why we need to have so many devices connected to the internet, apparently for superfluous reasons, in the first place.
We used to joke about our toasters taking down our banks. Right now, it's the hackers who are laughing.Suggest a correction