Beware the botnet mages4/Alamy Stock Photo
This weekend, bots besieged the web. Popular internet sites including Twitter, Paypal and Reddit were knocked offline during a huge attack.
The so-called distributed denial of service (DDoS) attack was waged by a botnet formed by hundreds of thousands of computers and 鈥渋nternet-of-things鈥 (IoT) devices, including cameras and printers, to launch a barrage of traffic at internet infrastructure company Dyn. As a result, swathes of websites were temporarily brought down for users in the US and Europe.
Devices made by Chinese firm Hangzhou Xiongmai Technology were identified as being among those targeted by hackers, and the company announced聽on Monday聽that it would聽. Xiongmai said one issue with its devices was that users had not changed their passwords from the factory-set defaults 鈥 but some researchers pointed out that it for a user to change all the credentials on some devices.
Advertisement
Security researchers have been聽warning for years聽that attackers could use smart devices to create this kind of disruption. Just last month, the website of security expert Brian Krebs was generated by a botnet that also affected some IoT devices. But can we prevent such attacks from happening again, or mitigate them?
Event:
鈥淚t鈥檚 really not rocket science to build something into these devices so that the first time they鈥檙e used, the user has to change the username and password,鈥 says , a computing expert at the University of Surrey in Guildford, UK. He adds that such 鈥渟ecurity by default鈥 should be standard practice.
One way to ensure that companies include such security features in their products could be to regulate IoT devices.
For example, the European Commission is a certification process to help consumers evaluate how vulnerable devices such as their new connected kettle or smart toaster are to exploitation by hackers. This could be similar to the labelling system used to rate an appliance鈥檚 energy efficiency.
Putting systems in place
But Erka Koivunen, a cybersecurity adviser at in Helsinki, Finland, says there is not yet much detail on how a grading system for the security of IoT devices would work, and that regulation would have to avoid making the European Union an excessively awkward place to sell new technologies. “Currently, nobody knows how you actually set up a system that doesn鈥檛 put too much burden [on] device manufacturers,” he says.
And Woodward says that customers might still buy cheap alternatives from areas of the world where those laws don鈥檛 apply. 鈥淵ou could set best practice like that, but the trouble is who buys these IP cameras from somewhere in the EU? You probably buy them online from somewhere in China.鈥
As we鈥檝e seen with this recent attack, there are also plenty of insecure devices already in use.
It鈥檚 not just device makers that can help protect against DDoS attacks. In some cases, says Koivunen, internet service providers (ISPs) could improve defences by adopting certain standards.
For example, in some botnet attacks, malicious users to make it look like it comes from another network. In 2013, the European Union Agency for Network and Information Security suggested that ISPs should that comes from spoof addresses, but Koivunen says its advice went 鈥渓argely unnoticed鈥. 鈥淢ost ISPs fail to implement that [鈥, they just don鈥檛 want to bother,鈥 he says.
With the malware used to create this botnet still out there and vulnerabilities unaddressed, the possibility of another widespread assault looms large.
Topics:
