IoT CCTV Devices Harvest the Biggest DDoS Ever Recorded

Security experts have long assessed the IoT (Internet of Things) as being a hacker’s paradise in its current format. Last week saw the biggest DDoS attack ever recorded, in terms of hostile traffic bandwidth. French web host OVH was the victim. DDoS attacks have been around for a long time in Internet terms. What is startling about this and at least one other recent attack is that the hostile botnets did not consist of infected PCs but of cameras, digital video recorders and other devices. About 150,000 of them at its peak.

The significant weakness of the IoT is that each and every connected device presents an attack surface. Any device that is connected to the Internet is a potential victim of hacking and hostile takeover, as major corporations are only too well aware. The growth in real life IoT networks is racing ahead of development of adequate security protection for their component parts. There are literally millions of Internet-connected devices that hackers can potentially harvest into zombie networks.

The devices involved in the OVH attack were capable of generating traffic totaling an estimated 600 Gbps when combined. This level of usage threatens to significantly disrupt the Internet for other users. Theoretically, multiple botnets with that capability could “break” the Internet in a geographical region by rendering it so slow as to be practically unusable. Even a 300 Gpbs flow may be enough to put at risk the heavy duty routers that connect the backbone and spokes of the Internet.

At issue is the sheer number of inadequately secured devices out there. The primary sources of a botnet DDoS attack on the website of security writer and independent journalist Brian Krebs in Jan 2015 were home routers. The attack was so heavy and prolonged that the DDoS mitigation service of his web host Akami could not cope over a sustained period. Back then, Krebs predicted that even CCTV cameras were potential zombies. That scenario came true in 2016 with a botnet attack from 25,000 of them.

There is no single solution that will protect all devices from hacking attacks. The most obvious and basic one is for users to change the default access credentials. For most home routers and connectable devices, the factory setting is admin/admin for user name and password. Users are also expected to apply frequent updates and patches to less-than-robust firmware. However, there is such a large percentage of homeowners who are simply either unaware or not technically competent, or both, that the onus must lie with vendors.

Not only that, but owners have no way of knowing if their devices have been compromised. Unlike PCs, laptops and mobile devices, there is no established practice of users hardening security on the majority of dumb-terminal devices. Until progress is made in this critical area of security, the IoT is the soft underbelly of the connected landscape. Devices are manufactured and supplied to perform a function. That is akin to having authority but no responsibility – having the capability to utilize the Internet but security is seen as being somebody else’s problem. This is that attitude that must be changed.