Malicious hackers seeking out unsecured devices to add to their botnet armies is not new, but the Internet of Things (IoT) revolution is making their jobs all too easy.
According to Cisco (News - Alert) estimates, there are 15 billion IoT devices on the market today; IDC and Intel (News - Alert) project over 200 billion such devices by 2020. Only a portion of this consumer market consists of high end devices – such as major household appliances like smart refrigerators – that feature respectable, built-in security measures (and offer the potential for upgrades). The vast majority of IoT devices are low-end smart light bulbs, thermostats and other items with little or no existing security – nor a user interface that allow their security to be managed effectively.
The threat from botnets populated by unsecured, compromised IoT devices is real, growing, and should not be ignored. In October 2016, such a botnet conducted a distributed denial of service (DDoS) attack on the DNS provider Dyn (News - Alert), which, at least to date, is considered one of the largest sustained attacks of this kind in history. The attack, which may have involved the IP addresses of 10 million different IoT connected devices, caused major sites such as Twitter (News - Alert), Netflix, Reddit, CNN, Amazon and Spotify to instantly go offline. A subsequent strike by the same botnet also partially succeeded in interrupting Internet access for the entire country of Liberia. While each of these attacks delivered only 500 Gbps of data sustained for several minutes, I believe future DDoS attacks utilizing IoT-based botnets could soon top 10 Tbps – large enough to disrupt access to any targeted site or country.
So, if the threat is this well known, why aren’t IoT device manufacturers acting to make the products they sell more secure? The reality is that they have no direct incentive to do so. The pressures of the IoT market decisively favor products with a quick time-to-market and eye-catching user features. Device security hardly ranks in the minds of consumers – if unsecure IoT devices perform as advertised, there’s no reason for their buyers to complain. Most consumers have little to no awareness of the existence of botnets or DDoS attacks, or of the harm their devices are capable of doing. IoT device manufacturers remain glad to fulfill the market’s demand, providing products as quickly and cheaply as possible.
This ecosystem won’t last forever, though. Sooner or later, the websites and hosting services most affected by these IoT-based botnets will seek to disrupt the status quo. In one scenario, I foresee those sites and hosts will begin to pressure the Internet Service Providers (ISPs) that provide the bandwidth that IoT devices use as firepower for DDoS attacks. If successful, those ISPs would then be financially incentivized to address the issue of unsecured IoT devices that access the Internet across their broadband connections. Of the different avenues the ISPs may take to accomplish this, expect the ultimate responsibility to be with the end user. One possibility: ISPs may implement a system of “metered broadband,” giving consumers the bill when their devices use outsized amounts of bandwidth, as happens when they are part of a botnet attack. Alternatively, ISPs might warn customers when their devices are part of attacks – or even if their devices are unsecure and prone to risk – followed by blocking traffic to those devices if action isn’t taken.
I believe placing the responsibility for IoT device security on end users would spur a rapid shift in consumer demand and purchasing behaviors, especially when ISPs begin rendering at-risk devices non-functional. Manufacturers will then have the incentive they need to include proper device security in their IoT products. And then, perhaps, the Internet will have one less danger to worry about.
Jeff Finn is CEO at zvelo, a provider of content and device categorization, as well as malicious botnet detection services.