There's a lot to be learned from last Friday's spate of cyberattacks, which denied millions of users access to major websites such as Twitter, PayPal, Netflix and Spotify. The attack was targeted mainly in the U.S. east coast, with other geographical areas being affected to a lesser degree.
The attack itself was a massive Distributed Denial of Service (DDoS) attack, which in layman terms translates into flooding servers with fake requests as to bog them down and prevent them from responding to legitimate requests. DDoS attacks are carried out through botnets, armies of zombie computers that have been infected with malware and are under the command of hackers (aka botlords).
This was the latest in a series of recent DDoS attacks carried out through Internet of Things (IoT) botnets, which are comprised of millions of compromised connected devices such as CCTVs, DVRs, SOHO routers, etc.
What makes Friday's attack special was that it was not aimed at the targeted sites themselves, but rather against Dyn, the company that operates the DNS servers that connect clients to those websites. DNS servers act as switchboards that translate human-readable domain names (e.g. huffingtonpost.co.uk) to computer-understandable IP addresses (e.g. 18.104.22.168). Therefore, by targeting the DNS services, the hackers were able to effectively cut off access to many websites at the same time, without actually bringing down those very websites.
While the attack was eventually contained and stopped, there's no guarantee that it will not happen again, and this time in a higher magnitude and in other parts of the world. IoT botnets are especially dangerous because they're easy to assemble in the millions--the IoT industry is riddled with vulnerabilities and in many cases, compromising devices is as easy as entering the default factory-set username and passwords.
Moreover, many the targeted devices don't even have the means to be fixed or patched to protect themselves against the malware. And in contrast to malware that is installed on desktop computers and laptops, botnet malware on IoT devices has a greater chance of going undetected because users tend to install and forget their connected gadgets and are less likely to take note of a compromised toaster than a computer.
This all makes IoT botnets--and IoT security in general--a serious concern. A year ago, most IoT security articles were aimed at warning consumers about the possible vulnerabilities and threats of the devices they installed in their homes and offices.
But the Friday attacks show that whether you own an IoT device or not--or whether you even know and care about IoT--IoT security concerns you, because the vulnerable device that your neighbor owns can be used to take down the online services that you're using every day.
We're living in an era where online services are becoming increasingly critical to our daily lives and businesses, and insecure IoT devices happen to be one of the biggest threats to those services. Therefore, it is in the interest of all of us to ensure the integrity and reliability of the communication infrastructure we use, as well as its resilience to cyberattacks.
That will demand a concerted effort to address IoT security issues from the part of all the involved parties.
Manufacturers must pay more attention to and invest more in device security instead of being focused on climbing the IoT bandwagon by merely shipping a connected device to the market.
For their part, consumers have to be more vigilant about the security of the devices that they purchase, and that accounts for more than the dangers that directly affect themselves. Manufacturers will be more likely to deal with device security when they realize that their customers care about it.
ISPs and companies that offer infrastructural services must protect their resources against attacks instead of taking their availability for granted. Also, they should do more to detect and block malicious traffic that is being directed through their facilities.
Governments have a role to play as well by passing laws and regulations and hold devices makers to account for the vulnerabilities of the devices they ship to market.
All in all, IoT will have a huge role to play in the future of our societies. Let's all make sure that the role will be a positive one.