Last week's DDOS takedown of security guru Brian Krebs' website made history on several levels. For one, it was the largest such reported attack ever, with unwanted traffic to the site hitting levels of 620 Gbps, more than double the previous record set back in 2013, and signalling that the terabyte threshold will certainly be crossed soon. It also relied primarily on compromised Internet of Things devices.
The story behind the attack was a good dime novel read. Krebs had published the identities of a couple of characters associated with the Israeli based black-hat pay-for-play DDOS service, vDOS, which led to their arrest within hours of the report's publication. The attack was apparently in retaliation for the story that brought them down.
"The traffic hurled at my site in that massive attack included the text string 'freeapplej4ck,' a reference to the hacker nickname used by one of vDOS’s alleged co-founders," Krebs wrote on September 25, after his site was back online.
As it turns out, this wasn't necessarily the first attack of this magnitude, and it certainly wasn't the first to implement IoT devices.
"OVH, a major Web hosting provider based in France, said in a post on Twitter this week that it was recently the victim of an even more massive attack than hit my site," he said. "According to a Tweet from OVH founder Octave Klaba, that attack was launched by a botnet consisting of more than 145,000 compromised IP cameras and DVRs."
In other words: Houston, we have a problem.
The IoT is in its infancy, but is rapidly growing. According to research firm Gartner, this year will see 6.4 billion IoT devices connected to the Internet, with 5.5 million new devices being connected every day. By 2020, only a little over three years from now, that number will rise to 20.8 billion. ABI Research, which includes a larger set of devices in its "Internet of Everything," predicts there will be over 40 billion devices active online by 2020.
"The reality is that there are currently millions — if not tens of millions — of insecure or poorly secured IoT devices that are ripe for being enlisted in these attacks at any given time," Krebs wrote. "And we’re adding millions more each year."
Right now, the majority of "things" on the Internet are closely related to traditional IT -- routers, webcams and the like -- and are designed by organizations that should have some expertise in online security. However, devices are shipped everyday that are insecure out-of-the-box. As the scope of IoT broadens and devices designed and manufactured by companies with little to no network expertise are added, the situation can only only get worse.
"I don’t know what it will take to wake the larger Internet community out of its slumber to address this growing threat to free speech and ecommerce," Krebbs wondered. "My guess is it will take an attack that endangers human lives, shuts down critical national infrastructure systems, or disrupts national elections."
At the very least, some kind of system needs to be put in place for code to be vetted, programs need to be developed to assure security updates of firmware, and users need to be required to set unique strong passwords before devices can be activated. Much more needs to be done, of course. This would only be a start.
It's not going to be easy, given the fact the Internet doesn't answer to a single jurisdiction, but it would be better for us to get a handle on IoT security sooner rather than later. Until we do, we're destined to play a game of whack-a-mole with the much ballyhooed IoT.