Misuse of the IoT: how unsecured devices are being used for DDoS attacks

October 19, 2016 // By EDN Europe
By Alex deVries and Tim Skutt
High-profile websites have long been the target for distributed denial of service (DDoS) attacks, but several recent instances highlight a new and growing problem.

First, there was the attack on krebsonsecurity.com , Brian Krebs' well-respected security news website. The 620Gbps attack was getting too much for Krebs’ DDoS protection provider to defend against, meaning Krebs’s site was made unavailable for several days. The attack came from hacked webcams.

Then hosting outfit OVH survived an attack in the region of 1Tbps. The company claimed the source of the attack was a botnet of 145,000+ hacked digital video recorders and cameras.

What makes these attacks different from previous DDoS attempts - other than their sheer size - is that they're coming from the internet of things (IoT).

The positive impacts of the IoT have been well publicized, but at the same time, the sudden proliferation of command-and-control devices spread far and wide across the web – and hence and tricky to track – creates an ideal environment for would-be attackers to exploit. 

Easy-to-exploit connected devices

What’s worse is that many of these connected devices can be straightforward to hack. Long lifespans and firmware that’s updated at best infrequently, mean that even after known vulnerabilities are resolved by manufacturers, there’s a plethora of unpatched kit in the wild.

By extracting firmware from a device or simply downloading it from the manufacturer, attackers often have little difficulty in reverse-engineering it. Their job is made easier because many devices use default login credentials.

Finding targets isn’t particularly difficult for attackers, either, as they can misuse dedicated IoT search engines to pinpoint particular devices around the internet.

Keeping IoT devices secure

So what can we do to protect against the IoT being used for malicious purposes? When it comes to new deployments, designers should implement best practices around configuration security, device identity, resource protection and updates. This will help ensure they’re secure when launched – and remain that way. Wind River offers a range of technology that incorporates these features.

But this doesn’t solve the issue of the poorly secured devices already out there. Fixing this problem is much more difficult, but there are ways to improve matters, which we’ll look at below. But let’s first explain why addressing the security issue will become increasingly pressing for owners and operators of IoT devices.

Changing motives for security

While those who own and run IoT equipment currently have various motivations for securing their devices, protecting against misuse for DDoS attacks on unrelated websites hasn’t typically been one of them.

However, as unsecured IoT kit increasingly gets exploited in this way, measures taken by others in the internet ecosystem are likely to start affecting device and service owners and their ability to use their equipment as intended.

Why IoT device owners need to secure their existing kit  

The best way to prevent this type of DDoS attack from succeeding is to protect the asset in question, in the above cases, the websites. In these examples, the providers took steps to do this.

But websites are just one asset that will get protected.  Another is network bandwidth. An IoT device being exploited as part of a DDoS attack will use additional bandwidth. While this