In late October, IoT security – or lack thereof – really came to the forefront after devices infected with the Mirai botnet took down DNS provider Dyn with a massive DDoS attack. In November, with fears that our entire election could be at risk from a cyber threat, the question is whether the Mirai botnet is responsible for taking an entire country offline, as Forbes reported:
Only temporarily, mind you, and the target was a very small one: Liberia, with a population of around 4.5 million. Fewer than 10 per cent of its citizens have Internet access and the entire country is served by just two companies that share a single fiber optic cable. Who would want to DDoS a country like Liberia? One strong possibility is someone who’s testing the Mirai botnet’s capabilities.
Except the story appears to have been overblown, as Brian Krebs reported. While there was most definitely an outage, he said, the dip in usage could have been as much the result of a national holiday as a widespread attack, adding:
Did a Mirai botnet attack an infrastructure provider in Liberia? No question. Is the IoT problem bad enough that we have to worry about entire countries being knocked offline? Quite possibly. Was there an outage that knocked the country of Liberia offline this week? I have yet to see the evidence to support that claim.
I am in complete agreement with Krebs in his statement that the IoT problem has reached a point where we do have to worry about larger implications. If we voted online, you better believe I’d be worried about a massive and sustained DDoS on Election Day, or if polling stations were connected to the internet, I’d be watchful for targeted attacks in certain areas of the country. Luckily, we aren’t close to an internet-based election yet.
However, what about our critical infrastructure? Or our airlines? Or a DDoS attack that takes the Super Bowl down? The unsecure nature of the IoT could be leading down a nasty rabbit hole. As I was researching information on this Liberia story, I found other stories that mention an even more powerful IoT botnet called Linux/IRCTelnet, able to infect thousands of devices very quickly. As Andrew Howard, chief technology officer for Kudelski Security, said to me an email comment:
This growing problem goes beyond unchanged default passwords left on devices. There is an urgent need for proven security tactics and technology for the IoT space. Companies of all types need to ensure customer devices and systems meet desired security levels at all stages of their lifecycle. Without taking these steps, they are running the risk of leaving the door open to attackers.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba