Friday's IoT-based DDoS attack has security experts worried
- 25 October, 2016 21:00
The Friday cybersecurity attack using connected devices, or the Internet of Things, was serious, unusual and even historic. It also is a taste of the disruptions to come, say security experts.
The attack, which affected a number of major Web sites, reportedly used Internet-enabled cameras as a platform for a Distributed Denial of Service (DDoS) attack. The attackers exploited manufacturer-set passwords that hadn't been reset by users.
"This is just the beginning," said Sanjay Sarma, a professor of mechanical engineering at MIT who has done pioneering work on IoT systems "There's more coming, sadly — perhaps a power plant."
Thousands of new devices are connected to the Internet daily. Some of these devices may be running low-power processors incapable of supporting sophisticated security. Embedded devices continue to operate for years after their last software patch, and can even outlive the demise of their manufacturer.
"It's very serious," said Jason Hong, associate professor in the Human Computer Interaction Institute at Carnegie Mellon's School of Computer Science, referring to last week's attack. "There are just so many of these devices that are relatively weak and insecure."
Today, any firm with a product or a service is potentially an IoT vendor. "A lot of these devices are being made by people who don't have a lot of experience building reliable software," said Hong, who is also a co-founder of Wombat Security Technologies, which focuses on the human side of computer security.
"We really need to figure out how to build better systems," he said.
IoT security poses unusual risks. It's one thing to steal usernames and passwords and take intellectual property or money, but it's an entirely different thing to gain access to systems that can physically disrupt and interfere with people directly. Any connected device, such as door and car locks, can be hacked. A medical device hack is also possible.
Former Vice President Dick Cheney revealed that doctors disabled the wireless capability of his heart implant to prevent a hack, Hong noted.
There is a lot of interest in improving IoT security in the private sector and in government. Studies, reports and congressional hearings arrive with some frequency, but something still seems missing.
"I wonder if there is enough urgency," said Seth Robinson, senior director for technology analysis at industry group CompTIA. Big security breaches fade quickly from the news, he said.
"The examples continue to crop up but our time of forgetting seems to be getting shorter," said Robinson. "We seemed to be amazed for a little bit, and then move back."
One of the biggest worries is the potential use of IoT systems to disrupt critical infrastructure, including telecommunications, transportation and the power grid.
Babak Beheshti, associate dean and professor of New York Institute of Technology, said any connected device can potentially be used to wage an attack. "If you can find an open port, you can establish communication with any server in a network," he said.
DDOS attacks and the flood of traffic they unleash can be managed and redirected, "but intrusion is much more devastating, because you're inside the network -- the damage could be permanent," said Beheshti.