*****The following article, by Jeff Finn, appears within the Featured News section of IoT Evolution Magazine’s web site and was originally published on February 23, 2017.
Malicious hackers seeking out unsecured devices to add to their botnet armies is not new, but the Internet of Things (IoT) revolution is making their jobs all too easy.
According to Cisco estimates, there are 15 billion IoT devices on the market today; IDC and Intel project over 200 billion such devices by 2020. Only a portion of this consumer market consists of high end devices – such as major household appliances like smart refrigerators – that feature respectable, built-in security measures (and offer the potential for upgrades). The vast majority of IoT devices are low-end smart light bulbs, thermostats and other items with little or no existing security – nor a user interface that allow their security to be managed effectively.
The threat from botnets populated by unsecured, compromised IoT devices is real, growing, and should not be ignored. In October 2016, such a botnet conducted a distributed denial of service (DDoS) attack on the DNS provider Dyn, which, at least to date, is considered one of the largest sustained attacks of this kind in history. The attack, which may have involved the IP addresses of 10 million different IoT connected devices, caused major sites such as Twitter, Netflix, Reddit, CNN, Amazon and Spotify to instantly go offline. A subsequent strike by the same botnet also partially succeeded in interrupting Internet access for the entire country of Liberia. While each of these attacks delivered only 500 Gbps of data sustained for several minutes, I believe future DDoS attacks utilizing IoT-based botnets could soon top 10 Tbps – large enough to disrupt access to any targeted site or country.
So, if the threat is this well known, why aren’t IoT device manufacturers acting to make the products they sell more secure? The reality is that they have no direct incentive to do so. The pressures of the IoT market decisively favor products with a quick time-to-market and eye-catching user features. Device security hardly ranks in the minds of consumers – if unsecure IoT devices perform as advertised, there’s no reason for their buyers to complain. Most consumers have little to no awareness of the existence of botnets or DDoS attacks, or of the harm their devices are capable of doing. IoT device manufacturers remain glad to fulfill the market’s demand, providing products as quickly and cheaply as possible.
This ecosystem won’t last forever, though. Read more.
