The number of Internet-of-Things (IoT), devices will reach more than 15 billion units by 2021, according to research from Juniper. As businesses and consumers accelerate adoption, we’re now on the cusp of an IoT revolution.
The benefits of connected devices are massive and include better data, automation, and increased efficiency. From connected healthcare to smart manufacturing and the development of smart cities, every vertical benefit from this technology.
But as the Internet of Things creates opportunities, it also creates new targets for cyber criminals. Worryingly, these devices are extremely vulnerable to exploitation; in the past three years, AT&T noted a 3,198% increase in attackers scanning for vulnerabilities in IoT devices.
With billions of hackable devices using outdated security technology, coupled with a lack of consumer and business awareness, the Internet of Things is the world’s greatest cyber security threat. Here’s why.
Feeble IoT security vs. powerful hackers
The widespread use of IoT continues to highlight how vulnerable these devices are when faced with modern, sophisticated cyber threats. A lack of investment in IoT security means these products are easy targets for cyber criminals. These are just some security issues associated with connected devices.
Privacy – IoT devices collect masses of personal information through the cloud or mobile applications. Consumers may not realize that their personal information is being gathered, but it could be used against them. By analyzing smart heating data, cyber criminals could find out when you’re out of the house, or when you’re asleep. It would surprise few to see this data then sold on the dark net.
Poor authentication – Many IoT devices use simple factory passwords or fail to educate users to create complex passwords. The opportunity is all too obvious for criminals. Weak passwords can be easily breached through brute force cracking, giving hackers access to your personal data.
Lack of control – Users often have no control over the generation and storage of IoT data. These devices often fail to provide an obvious location where a user can give consent to data collection. Without consent, most consumers won’t learn what data is being tracked and if they’re prepared for this to be collected.
Insecure software – Software vulnerabilities can be resolved with firmware upgrades, but manufacturers push back on these updates so as not to disrupt user bases. Updates for outdated hardware are often discontinued when new hardware is introduced. The result: IoT devices joining botnets to DDoS organizations, or your personal data stolen.
Automatic updates – Some consumers simply won’t update their devices manually, leaving it to the manufacturers to ensure automated and regular updates. But as we’ve seen, this is not a widely adopted practice for IoT devices. With a lack of automatic updates on IoT devices, consumers are even less likely to keep their firmware updated, especially if they can’t be controlled from a single computer. Again, the result is an easy route to your devices and data for hackers.
Part of the problem is that many consumers may not realize the security of their IoT devices is outdated and plagued with vulnerabilities.
“The challenge we face is that many of [these products] are not designed with security in mind,” says Terence Greer-King, director of cyber security at Cisco.
“Many users do not realize that they are essentially deploying a tiny web-enabled server in their home that could potentially be subverted to cause harm.”
But why should you care if your internet-connected fridge is hacked? For starters, hackers could access personal data, like bank details, passwords and emails. You may even be an unknowing participant of the largest DDoS attacks in history.
The terrifying power of billions of IoT devices
Vulnerable internet-connected devices are the perfect targets for cyber criminals. Hackers have already learned how to manipulate IoT devices into joining botnets – groups of Internet-connected devices that can be remotely controlled.
Once assembled, botnets can be used to orchestrate Distributed-Denial-of-Service (DDoS) attacks. These attacks use large numbers of IoT devices to direct traffic to a website or server, overwhelming it and rendering it inaccessible to real users.
Botnets are traditionally made up of infected computers, but the widespread use of vulnerable IoT devices provides a far more enticing target for cyber criminals. A lack of investment in security and the abundance of IoT devices, a result of cheap and quick manufacturing, means these botnets are potentially far more dangerous than infected PCs.
This lack of security investment was revealed in 2016 when criminals launched the largest DDoS attack in history. The botnet malware behind the attack, Mirai, infected 100,000s of IoT devices that then pummelled DNS provider Dyn with a 1.2 Tbps DDoS attack.
The Mirai botnet knocked PayPal, Spotify, Netflix and Twitter offline, causing never-before-seen levels of disruption to some of the largest websites in the world.
This attack was amongst the first of its kind – think of it as the Morris worm of IoT malware. Just imagine the threats businesses will face as IoT continues to expand.
One month later businesses were unprepared when the Mirai botnet struck again. This time the attack affected 100,000s of Deutsche Telekom customers.
The Mirai botnet source code is now available online, so it’s likely to continue plaguing poorly secured IoT devices. And in February 2017, researchers identified a new variant of the Mirai botnet capable of targeting Windows systems, allowing the malware to spread to even more devices.
Mirai is just the tip of the iceberg and other powerful botnets continue to damage businesses globally. It’s not just businesses that should worry, one attack against a UK bank in 2016 resulted in £2.5 million stolen directly from customer accounts.
One recent – and unnerving –breach from CloudPets revealed an openly accessible database containing 2 million voice messages, most recorded by children. The messages were recorded on an internet-connected soft toy.
The poor state of IoT security is unlikely to improve in the short-term and catastrophic attacks are inevitable.
“A major bank will fail as a result of a cyber-attack in 2017 leading to a loss of confidence and a run on that bank,” says Prof Richard Benham, chairman of the UK National Cyber Management Centre.
Preventing a future disaster
These threats are a precursor for a potentially massive IoT disaster, like a major data breach or DDoS attack. The Mirai attacks, though powerful, affected a relatively small number of IoT devices. With an estimated 15 billion low-security devices up for grabs, this is a disaster waiting to happen.
In February, a group of industry leaders industry formed the IoT Cybersecurity Alliance aiming to use their combined expertise to solve the security challenges presented by the Internet of Things. Founding members include AT&T, IBM, Nokia and Symantec.
“The explosive growth in the number of IoT devices is only expected to continue…so must the associated cybersecurity protections,” says Mo Katibeh, AT&T senior vice president of Advanced Solutions.
The new group outlined some specific goals, like conducting collaborative research on IoT security challenges across healthcare, automotive, and industrial verticals.
This is reassuring news because it’s ultimately the responsibility of manufacturers to produce secure devices and ensure their firmware is up-to-date. But this isn’t a solution.
There’s a battle ahead as cheaply manufactured internet-enabled devices, produced in countries with relaxed IoT security regulations enter the market.
Cyber security spending is on the up globally with a predicted $1 trillion spent annually by 2021. Clearly, businesses continue to invest in cyber security skills, with recognized certifications — like ISC2’s CISSP or EC-Council’s Certified Ethical Hacker — but they must also now dedicate resources to ensuring the security of their IoT products.
Until every industry can ensure the security of their connected devices, attacks like Mirai will continue to plague businesses for the foreseeable future.
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.