It has been several years since the infiltration of “smart” devices – both into our homes and our bodies – began, and there is no shortage of articles that have expounded upon the danger and potential vulnerabilities that this technology has unleashed. Even the warnings haven’t stopped the proliferation of smart devices into everything from our car to our kitchen.
From a refrigerator that sends out malicious emails to webcams that are used to spy on celebrities, the devious intent of the hacker has not only increased-it has gotten more creative. The reality is that the Internet of Things (IoT) is changing everything.
There are a host of reports on the viability of IoT. In fact, in its 2014 Hype Cycle for Emerging Technologies Report, Gartner reported that by 2019, companies would ship 1.9 billion connected home devices, bringing in about $490 billion in revenue. This stunning statistic has got more than the wolves of Wall Street talking; in fact, it has unleashed a new pack of wolves, and one with very big teeth – the hackers.
During the second half of 2014, hackers became more efficient and effective, developing new methods to manipulate the protocol and accessibility of any home device that has an operating system and an open IP address. This nearly instantaneous volumetric assault on intended targets through the use of a massive number of networked machines (often called “zombies”) can be overwhelming, flooding them with unnecessary requests that eventually lead to a server crash or the insertion of malware into the network. Either way, it’s bad for business and brand reputation, and very bad for the bottom line.
A New Attack Vector
What used to be a simple device that moved Internet access from one room to another in our homes has today become an instrument of what is now known as the simple service discovery protocol, or SSDP, reflective amplification distributed denial-of-service (DDoS) attack. That’s a mouthful with a significant impact when we understand that globally, more than 7 million SSDP devices have the potential to be exploited to launch SSDP and other DDoS attacks.
The SSDP attack emerged last year as one of the most potent and increasingly favored attack vectors. Such attacks use internet-connected devices (routers, webcams, etc.) to amplify attack bandwidth by as much as 75 times. With IoT bringing billions of such devices online, there will be an exponential growth in this type of attack.
Here’s a glance at a few vulnerabilities of today’s internet-connected devices:
- Relatively high bandwidth. It’s the router’s job to provide your household with the bandwidth you need to stream movies, access the Internet and send email.
- Long upgrade cycles. When was the last time you updated the firmware on your router? Most of us would say, “Never.” In fact, certain smart devices may never be upgraded after deployment.
- Accessibility. Unless you have programmed your home to automatically shut down when you leave or go to sleep, refrigerators, routers and webcams generally stay online 24 hours a day, seven days a week.
- Weak passwords. Let’s face it: the majority of us are guilty of creating weak passwords. But like your PC, Mac or phone, any equipment that connects to the Internet must be password protected. While consumers are familiar with creating passwords in those environments, accessing the interface to password-protect a router or webcam may not be quite as intuitive. Most of us just leave those devices with the default login and password.
- Lack of legislation. While there are federal standards bodies investigating these types of attacks and developing recommendations, it is not up to the manufacturers to secure the consumer home network. Instead, the onus is on the consumer to secure the device he/she purchases.
Protecting the Network – Before IoT Zombies Strike
While security solutions continue to evolve to include IoT devices, it is clear that in securing this rolling train of accessible end points, the battle against DDoS will continue to challenge enterprises and ISPs. At RSA 2015 in San Francisco, IDC analyst Chris Christiansen noted that with consumer devices, there is no money in security. He went on to say that as such, the security that is embedded in a consumer IoT device is minimal, which, he noted, will eventually lead to major privacy and future litigation issues, especially in Europe.
Traffic-based attacks that lead to unavailable network infrastructure or congestion of available bandwidth can be prevented, but ISPs, hosting providers and enterprises alike need to think outside of the traditional security stack.
When looking for solutions to mitigate DDoS attacks, it is important to not only defend against DDoS attacks on the transport layer, such as flood attacks related to SYN, SYN-ACK, ACK, FIN/RST, UDP, ICMP and IP Fragment, but also those targeting the application layer, such as HTTP GET/POST Flood, slow-rate attacks and DNS attacks. Furthermore, in terms of application scenarios, look for solutions that defeat DDoS attacks launched via a multitude of agent servers, like CDN and WAP gateways.
Some solutions today go further; instead of relying solely on traditional fingerprint matching or similar methods, more evolved DDoS mitigation solutions also conduct behavior anomaly detection, which can then be filtered through an intelligent multi-layer identification and cleaning matrix. This consolidates the mechanisms of anti-spoofing, protocol stack behavior analysis, specific application protection, user-behavior analysis, dynamic fingerprint identification, bandwidth control and so forth.
While organizations like the National Institute of Standards and Technology (NIST), the Security and Exchange Commission (SEC) and other high-level financial standard bodies, such as the Office of the Comptroller of the Currency and the Federal Financial Institutions Examination Council (FFIEC), are investigating how to implement standards and restrictions with regards to this issue, it is imperative that enterprises and hosting providers incorporate DDoS protection models into the network that have been designed and tested to specifically monitor and mitigate these kinds of anomalies and attacks. Is your organization prepared for the rise of the Internet zombies?
To learn more about SSDP DDoS attacks, other DDoS attacks from 2H2014 and predicted potential threats for 2015, download the NSFOCUS DDoS Threat Report here: http://www.nsfocus.com/2015/SecurityReport_0416/196.html
If you're concerned about security in your IoT networks, look into the IoT Evolution Expo, set for August 17 to 20 at Caesars in Las Vegas.
About the Author:
Rishi Agarwal is Chief Evangelist at NSFOCUS, Inc. He has 12+ years’ experience in Product Marketing, Strategy, Business Development and Product Management. He has broad domain expertise in Network Security, Compute and Storage. Prior to NSFocus, he was a Senior Manager at Arbor Networks. Additionally, he has worked at leading technology vendors such as Microsoft, Intel and SanDisk.
Edited by
Ken Briodagh
