Can Your Thermostat Take Down the Internet?

Tom Badders
September 27, 2016 • 6 min read

People joke about the security of the Internet of Things. “Who wants to hack into an Internet-connected refrigerator?” the thinking goes.

But the concern about IoT security is more about the security of the entire Internet than it is the integrity of coffee makers and thermostats.  The greatest threat posed by unsecured IoT and industrial IoT (IIoT) devices is their potential for use in distributed denial of service (DDoS) attacks and other nefarious purposes.

Symantec has just released a report that highlights this threat.  DDoS attacks basically involve hijacking Internet-connected devices and using them as unwilling/unknowing agents of attack, bombarding a website or other resource with so many “hits” that it shuts the target down.

Before the IoT, “Internet-connected devices” was almost synonymous with computers and servers. But today, anything connected to the Internet — from kitchen appliances and gaming platforms to medical equipment and industrial control systems — can be used in a DDoS attack.

Gartner says that 6.4 billion IoT devices (not counting computers and servers) will be connected to the Internet by the end of this year — many of which “frequently come with bug-ridden firmware that never gets updated and easy-to-guess login credentials that never get changed.”  As a result, the Symantec report notes, “any compromise or infection of such devices may go unnoticed by the owner and this presents a unique lure for the remote attackers.”

The Krebs Attack: A Case Study in Exploiting IoT for DDOS

Exploiting IoT for DDOS

None of this is just theory any longer (if it ever was), as we’ve learned over the past few days. Brian Krebs is a leading cybercrime investigator and as such has been the target of many bad guys on the Internet during his career.  As a direct result of one of his investigations, Krebs’ blog was recently the victim of one of the biggest DDoS attack in history, delivering more than 600Gbits per second.  What made that possible?  The Internet of Things.

The assault was so large that it overwhelmed Akamai’s ability to protect his website, resulting in his site being taken offline for several days.  As noted by the Lawfare Blog, “this isn’t just a story about some skiddiot DOSing a reporter’s site. This is major news, with potentially extremely significant legal, technical, and policy ramifications.” That’s because:

Akamai is, in many ways, the “Internet.” Akamai hosts many services and are so distributed that any attacker who can DOS Akamai can effectively take down anything they want to on the Internet. Worse, this is probably not a nation-state but instead a highly-motivated private actor, angered by Kreb’s reporting. Let that sink in: A private actor has just demonstrated the capacity to “shut down the Internet”…

IoT insecurity threatens to go beyond the potential for being exploited in DDoS attacks.  The Symantec report notes that “With the rapid growth of IoT, increased processing power in devices may prompt a change of tactics in future, with attackers branching out into cryptocurrency mining, information stealing, and network reconnaissance.”

While the Krebs attack was likely an individual or a private cadre of bad actors, the potential for this kind of capability in the hands of a nation-state is especially alarming. Consider Bruce Schneier’s recent blog post about ongoing probes of companies that run critical pieces of the Internet’s infrastructure.  Its title — “Someone Is Learning How to Take Down the Internet” — speaks for itself:

We don’t know who is doing this, but it feels like a large nation state…It feels like a nation’s military cybercommand trying to calibrate its weaponry in the case of cyberwar. It reminds me of the US’s Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.

Protecting the Entire Internet-connected Ecosystem

Thus, IoT security isn’t just important to protect the devices and their users. It’s also critical in protecting the entire interconnected ecosystem from billions of Internet-connected devices being used for these kinds of attacks.  Unfortunately, the majority of consumer and industrial devices are still vulnerable to exploitation.

Several organizations are taking steps to raise the level of awareness of these vulnerabilities and to address them through standards and frameworks.  The Online Trust Alliance, for example, has produced the IoT Trust Framework, a set of principles addressing privacy, security and sustainability that focuses on consumer-oriented devices.

The Open Web Application Security Project (OWASP) has implemented the OWASP Internet of Things (IoT) Project, which is designed to help manufacturers, developers, and consumers understand the security issues involved with IoT and to assist them making sound security decisions concerning IoT technologies.

The Industrial Internet Consortium has issued a framework for securing IIoT devices, aimed at makers, integrators, and users of industrial devices.  This reflects the industry’s awareness of the seriousness of the issue, but also reveals the scale of the challenge, with Cisco Systems and Intel projecting that up to 50 billion such devices will be online by 2020.

With Great Power, Comes Great Responsibility

Networks are inherently unsecure. The Internet is no exception.  New Internet connected products bring amazing new capabilities to the market every day and enhance people’s lives, but each new connected device is yet another target for bad actors to exploit.

Facing this threat requires getting even novice technology users, as well as policy makers and operators of critical infrastructure, to move beyond the misconception that IoT security is about protecting our “things.” Rather, it’s about protecting everything.

Technologies are available to privatize Internet traffic. To hide or cloak sensitive network data repositories. To highly encrypt Internet transport traffic. To anonymize users, their devices, and their locations.  A network can be “off the grid” logically, and still function effectively, efficiently, and without the fear of being hacked. You can even use technology to seek out the bad actors and cut them off before they cut you down. Although there will always be new threats against networks, there is technology available today to remediate the threats of cybercriminals.  And the stakes are too high to ignore it.

Tom Badders
Senior Product Manager
Tom Badders is a Senior Product Manager at Telos Corporation.
Read full bio
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments

Chris Wysopal suggests hard rate limits on IoT devices as a possible solution to hijacking them for DDOS. In other words, hard-program IoT devices to be able to send and receive only the amount of traffic they require for normal operation. As one commenter in the thread says, “how many packets per second does my light switch *need* to send and does it need to route externally?”

Subscribe to Our Newsletter

Although we may use your information for targeted marketing and advertising, as described in the Privacy Policy, we will never sell your information to any third party.