There’s a flood of connected devices making their way into our homes and businesses – a deluge exacerbated by recent holiday gifts and the latest and greatest from CES, where connected devices always take top billing.
From mobile, wearables, and car technology to advancements in smart homes, TVs, and cameras, the tech world is awash with internet-connected devices. By 2020, it’s estimated that there will be more than 30 billion connected devices in the world, more than four times the earth’s population.
Hackers are watching
Tech-hungry consumers keep their eyes peeled for major device announcements. Also watching are distributed denial of service (DDoS) attackers who have made the internet of things (IoT) their weapon of choice. These nefarious actors exploit millions of vulnerable IoT devices to create sophisticated malware-based DDoS botnets they then use to initiate devastating attacks. IoT vulnerabilities give these hackers the ability to scale their attacks across tens of millions of devices and unique IP addresses.
New devices add more weapons to an already stocked arsenal of connected gadgets hackers have at their disposal that they can weaponize and leverage to launch DDoS attacks.
If we’ve learned anything from the Mirai botnet’s path of destruction in late 2016, during which attackers hijacked more than 500,000 webcams to launch a DDoS attack topping 1 Tbps, and last year’s WireX and Reaper threats, it’s that bad actors will latch onto unsecured devices and use them to do their bidding.
“Millions of unsecure, internet-enabled devices provide new threat vectors. Given the rapid proliferation of internet of things devices in advance of IoT-oriented security standards and configuration practices, expect these devices to be increasingly used as weapons for DDoS and other attacks,” said Adam Isles, principal at The Chertoff Group, a global advisory firm that provides security risk management, business strategy and merchant banking advisory services.
IoT threats a growing enterprise concern
According to a recent AT&T Cybersecurity Insights report, nearly a third (32%) of surveyed organizations said IoT-based DDoS attacks are their biggest future cybersecurity concern. AT&T found that more than a third (35%) of all its survey respondents say IoT devices were the primary source of a data breach experienced over the prior year. And the outlook for future IoT attacks is bleak, with 68% of survey respondents saying they expect IoT threats to increase in the coming year.
That said, AT&T found that 90% of organizations have conducted enterprise-wide cyber risk assessments in the past year, but only half have conducted risk assessments specific to IoT threats.
Meanwhile, according to our A10 Application Intelligence Report (AIR), DDoS attacks took the top spot among cyberthreats against businesses, with more than one third (38%) of IT decision makers saying their company has suffered an attack at least once over the past 12 months, with another 9% noting they’re not aware whether they’ve been attacked or not. Frighteningly, that means that nearly half of IT professionals say their company has either been a victim of a DDoS attack or they don’t know if they’ve been a victim.
A10 AIR respondents, however, don’t fear IoT as much as they probably should. For example, AIR respondents rank laptops as the most vulnerable type of device, more so than smartphones and even more so than IoT devices, a misperception that, if exploited, could give hackers an inroad into corporate networks.
The growing number of IoT-based DDoS attacks, when paired with lack of awareness and the growing roster of IoT devices hitting the market, creates a potentially catastrophic cocktail of opportunity for savvy cyberattackers.
The consensus: DDoS attacks will grow in both bot size and traffic volumes mostly due to their use of vulnerable, poorly-secured IoT devices. Contributing to those millions of vulnerable IoT devices will be this year’s crop of marquee CES products and the myriad gadgets found under the Christmas tree.
IoT DDoS defenses
The rise of IoT DDoS attacks makes it imperative companies rethink their DDoS defenses to thwart these sophisticated and often devastating threats. Here are key characteristics of effective DDoS defense solutions to ensure that IoT DDoS attacks can’t take your business down:
- Capable of detecting, mitigating and reporting on multi-vector DDoS attacks at the network edge and in centralized scrubbing centers to scale to defend against colossal IoT-fueled attacks
- Able to differentiate botnet traffic from legitimate traffic and users, so services stay available when battling an attack
- Include intelligence into known botnets and agents to defend networks against known threats
- Able to scale but still cost efficient