David Monahan is Research Director for Enterprise Management Associates (EMA) and is a featured guest blogger.
The Internet can be a pretty scary place. Places like the dark web exist in the form of trading houses with stolen personal information from credit cards and social security numbers, to health records and full identities being obtained for a price. Malware development and deployment and other attack services such as DDoS and botnets can be rented by the hour. Recent reports indicate that DDoS attacks are increasing in both frequency and size, and the problem of botnets being used as attack networks or launch points in DDoS and other malicious activities is significant. Indications are that it will only continue to get worse.
We are looking at a new age of botnets. The first age was servers, PCs, and laptops. The second age was mobile devices such as smartphones, phablets, and tablets. What’s the newest wave? … Thingbots.
What is a Thingbot?
Thingbots are devices born from the Internet of Things (IoT) like wearables, remotely-managed environmental devices (such as HVAC systems), Internet-connected industrial systems, and even the Coke machine at the movie theater you just went to. Wireless medical devices from radio-controlled insulin pumps to remotely manageable pacemakers, like former US Vice President Dick Cheney’s, and new classes of devices from network connected smart cars to anything that individuals create for personal use in their homes are all Thingbots that can either be attacked or used as attack platforms.
How Do Thingbots Work?
Each of these devices connects to the Internet in some manner and runs code on a microprocessor to do something. There are little to no quality standards or code checking for IoT-enabled devices. A hacker can compromise and inject malware into them, bringing them under his or her control just like PC’s and phones. This presents a huge number of security risks and related concerns.
What is the Risk?
According to recent reports by IDC and Business Insider, the estimated number of IoT-connected devices is between 14-20 billion, with nearly 2 billion of those being IoT class devices. This volume is expected to grow to an estimated 32 billion total connected devices by 2020 with approximately 9 billion IoT devices. Now the really scary part: few to any of those devices have antivirus or advanced endpoint and threat detection on them. They are ripe for the picking.
We already have a problem with compromised devices, despite having had prevention and detection technology in place for years. Systems are already being used to steal billions of records and disrupt Internet communications and other commercial services. Now we have whole new waves and classes of devices which have no on-device protection. What happens when we add these IoT devices to the mix is a critical concern for a number of research organizations. Refrigerators and televisions can send spam and even our toasters and microwaves can be leveraged to create DDoS attacks against a faraway target, or even against one’s own household. Each of these devices has some level of capability to allow hackers to influence and gain knowledge about our lives. Compromised devices can share what our cameras see, change our environmental controls, and affect our very lives by changing settings on our medical devices.
What Can You Do?
What is the consumer or manufacturer liability if a mundane IoT device is used against another location to perform a DDoS or if it is used to execute a life threatening attack on another individual? The size of the impact on our lives and society is yet to be seen, but it can be extreme depending upon how much we connect and how well we manage it. Managing the risk involves managing awareness. Be aware of how much you want to share and also how much may be shared through the different ways you connect doing everything you can to restrict access and availability of these devices.
David is a senior information security executive with over 15 years of experience. He has organized and managed both physical and information security programs, including Security and Network Operations for organizations ranging from Fortune 100 companies to local government and small public and private companies. He has diverse Audit and Compliance and Risk and Privacy experience – providing strategic and tactical leadership, developing, architecting and deploying assurance controls, delivering process and policy documentation and training, as well as other aspects associated with educational and technical solutions. Aside from his full-time practice in the security field, David has been an adjunct faculty member for Capitol College in Laurel, Maryland since 2007, providing security instruction on both the undergraduate and graduate level. He has also presented briefings to numerous forums including SANSFire, Forrester and the Colorado Digital Government Conference.