The Internet of Things (IoT) is now a major force in the weaponization of DDoS. Thus far in 2019, IoT botnets have fueled a number of attacks that role will only grow in the coming years. The tools to carry out these attacks are freely available to the public, and the IoT is expected to be 20 billion devices strong in 2020, so expect more frequent and disruptive attacks from a wider range of bad actors from now on.
While every organization must now protect itself against the potential for this kind of DDoS attack, this isn’t the only IoT vulnerability to keep in mind. 2019 will bring new threats as the IoT expands, challenging organizations and consumers alike to maintain effective defenses. Here are three IoT threats likely to continue in 2019 and what organizations can do to protect themselves.
From cars to medical devices, as more machines and sensors come online next year, hackers will have greater leverage with ransom attacks. Who wouldn’t pay up to regain access to their home thermostat, car, or the pacemaker that regulates their heartbeat?
And while IoT devices can be the targets of threats, they can also be the perpetrators. With publicly available hacking tools, DDoS ransom attacks can harness “thingbots” – massive systems of compromised devices. These things often share IP addresses and have unfamiliar operating systems, making them harder to identify.
While IoT ransom attacks are different than regular ransomware, the same rules apply – paying a ransom often leads to prolonged or repeated attacks. If you adopt a strong security posture and make your organization a more difficult target, you will have to worry less about these attacks in 2019.
IoT as the ultimate end point, remaining uncontrollable for years
In 2019, IoT platforms will need security in mind from the ground up, not simply added as an afterthought, as has been common until now. Today, a simple use of telnet and a limited list of factory default usernames and passwords can harness botnets of incredible size. As the space accelerates toward billions of connected things in the next few years, those botnets will only continue to grow if devices aren’t secured.
The burden for this security falls on three groups: Manufacturers, network carriers, and enterprise customers. While manufacturers must produce resilient products with built-in security, carriers should be able to detect and manage traffic originating from those devices to protect potential victims. Enterprise customers need to be aware of the risks to their infrastructure and assets and invest in IoT that’s secure and can resist the threats that will emerge over the next three to five years.
Threats against physical appliances: Also known loosely as phlashing, permanent denial of service (PDoS) attacks will pick this year, aiming to destroy the firmware on IoT devices and other hardware. One PDoS method adopts remote or physical administration on the management interfaces of the victim’s hardware. The attacker may exploit vulnerabilities to replace a device’s basic software with a modified, corrupt, or defective firmware image. This bricks the device, rendering it unusable until it can be repaired or replaced.
The “things” of the IoT are particularly vulnerable to these attacks, as they’re often simple machines with little or no inherent security measures. You’ll need a clearer understanding of the different firmware versions, binaries, chip-level software, and technology in use in your environment to stay safe.
Securing the future of the IoT: The long-term success of the IoT will depend largely on whether secure platforms arise. This year and beyond, the IoT will usher in new security measures, from device identification and automation to regulation and availability.
As 2020 approaches, the IoT and connected devices are expected to grow exponentially. That in turn will draw new attention from hackers, and many IoT devices – and the organizations deploying them – aren’t ready. Only the organizations taking proactive, holistic steps to improve their security posture will see the true promise of the IoT without the disruptions and disasters of this next wave of attacks.