Is This The New ISIS?
Tweleve days ago, the largest-ever denial of a service attack on US soil was carried out against a critical part of our Internet – a major DNS service that acts as an address book to map friendly website names to IP addresses. The attack essentially wiped out most of the East Coast’s internet connection, including major sites like Twitter, Amazon, Netflix, and others.
Whoever was responsible used an army of IoT devices – such as webcams, smart thermostats, and even DVRs – to implement the attack. A DDoS (Distributed Denial of Service) attack involves controlling a mass of enslaved IoT devices distributed across the Internet, and forcing them to constantly send requests to a specific server to completely overwhelm it till it cannot perform its normal tasks. Typically, DNS servers have counter measures to handle massive amounts of requests, but this recent attack demonstrated that these are ineffective against a new category of threat.
Though intended to make our lives easier, connected devices are increasingly being recruited into a new ISIS-type Army of the Internet. DDoS-type attacks have been on the rise globally, thanks to the ease with which our IoT devices can be compromised. They are often led by a small population of hackers capable of causing large-scale terror that affects millions of people. Last Friday’s attack was just one consequence of a new virus, Mirai, that allows hackers to modify and further infect connected devices.
The Ugly Truth
The ugly truth is that this threat has been in the making for the last decade, as we’ve raced to make our devices more connected and smarter, with an estimated 5.5 million new things added every day.Consequently, we have sacrificed security in exchange for greater convenience and a growing the bottom line. Friday’s attack showed us that both can be severely compromised in just a matter of minutes.
“Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind or to provide ongoing support,” statedVirginia Senator Mark Warner in a recent letter to the Federal Communications Commission (FCC), the Federal Trade Commission (FTC) and the Department of Homeland Security (DHS). “We are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none,” he added as he called for the proliferation of insecure IoT devices a threat to resiliency of the Internet.
In the workplace, companies are becoming increasingly more dependent on the cloud for business processes, which increases the risk of these types of threats. As my own company relies heavily on Internet infrastructure to connect our global team, the downtime from the Marai attack cost us real money. If you are running your online business on the affected DNS server, you would’ve also lost real revenue, as potential customers had no means of getting to your website.
All Is Not Lost
The attack should be an urgent wakeup call to all of us on the dangers of lackadaisical IoT security. Our government can help by calling out the industry for building insecure devices. As good digital citizens and consumers, we also need to vote with our pocketbooks by demanding better security from the companies building connected devices.
We should also reexamine how we manage our home networks. The home network is no longer a small network with a couple of devices. Many of our homes are actually small enterprise networks, with an average of ten devices and growing. In a recent report, Gartner forecasted that 6.4 billion connected things would be in use worldwide this year, up 30 percent from 2015, and that this number would keep growing to 20.8 billion by 2020.In this environment, the router is the first line of defense to help prevent attacks to (and from) your connected devices.
This new threat needs to be met with a comprehensive approach that involves businesses investing more in security audits, consumers becoming more educated about their connected home network vulnerabilities, and the government regulating third party security testing for products – not to mention prosecuting those who carry out attacks. I believe this war is worth waging because our future is a connected one, and all is not lost if we work together to improve the overall security of our Internet of Things.
John Wu, CEO and Co-Founder of Gryphon
John is a seasoned wireless products executive with over 20 years of experience in the wireless and IoT industry, at companies including Novatel Wireless and Motorola. He led global teams that have successfully shipped products with over 4 million units annual volume, generating over $400M in revenue. Responsible for P&L for MiFi Labs, John was one of the key inventors of the MiFi mobile hotspot – selected by Time Magazine as one of the top gadgets of the century. John currently holds 18 patents, with an additional 26 patents pending.