Who has the power to stop massive, IoT-fuelled botnet attacks? All of us
Wed 22 Mar 2017 | Jeff Finn

Jeff Finn, CEO of zvelo, asks whether there are enough incentives for consumers to be concerned about the security of their IoT devices…
For customers purchasing Internet of Things (IoT) devices – a group that either includes or will include just about every one of us soon enough – it’s easy to get excited about the idea of smart light bulbs, speakers, thermostats, power outlets, and a host of other convenient, connected hardware the market offers. The chief selling point of most IoT devices is their functionality and simplicity, enabling us to control or track everything in our lives with our voices or our phones.
Affordability is also a key driver of sales for many of these connected gadgets, which aim for widespread adoption. What isn’t a factor in most IoT device purchasing decisions is whether or not the device features effective security to safeguard against hacking. It’s an increasingly concerning consumer blindspot that is already having detrimental effects on the availability of the internet as we know it.
What we consumers don’t know is that millions of household IoT devices worldwide have already been taken over by hackers. That innocent smart light switch that’s so handy might in fact be, unbeknownst to its owner, moonlighting as a mercenary of a botnet army carrying out distributed denial of service (DDoS) attacks.
To prepare and execute these attacks, hackers take advantage of software that can search networks for unsecured and vulnerable IoT devices. They then introduce malware that allows them to access and control those devices at any time. In a DDoS attack, hackers will direct the bandwidth of thousands – or, in some cases, millions – of connected devices to overwhelm network infrastructure, effectively making it impossible to fulfill the internet requests of legitimate users.
We consumers are pressing the market to give us more of these low/no security IoT devices
Botnets made up of corrupted IoT devices have been all too successful at these attacks. Last year, the DNS provider Dyn was the target of an IoT botnet attack that affected as many as 10 million IP addresses, taking sites like Amazon, Twitter, and Spotify offline. A follow-up attack by the same botnet managed to interrupt internet access to the entire country of Liberia. But these attacks don’t always target a party unrelated to the devices: just a few weeks ago, Verizon reported that a university faced a botnet attack using thousands of its own IoT devices (and even campus vending machines) to interrupt its network and lock administrators out of systems.
Market demands
It should be said that not every IoT device has poor security. The manufacturers of many higher end and more costly devices do tend to take security into consideration. However, at the lower end of the market, consumers can buy all kinds of always-on gadgets with security weaknesses that hackers love. These vulnerabilities include data that’s sent over inherently insecure services like telnet and FTP that are poor at protecting data from exposure, comically weak default passwords, and even devices with no security at all. And, unfortunately, we consumers are pressing the market to give us more of these low/no security IoT devices.
Site owners will begin pressuring consumers’ internet service providers (ISPs) to curtail malicious IoT device behavior
With an explosion in IoT deployments looming – from around 20 billion devices currently to an estimated tenfold increase by 2020 – manufacturers are operating under clear market incentives to deliver feature-rich and affordable IoT devices as fast as possible. But the market demand for greater device security? Virtually nonexistent.
If we consumers don’t wake up to the perils of an unsecure IoT and give manufacturers a reason to value device security, a world flooded with these devices will be a hacker’s dream, and one where internet outages are common. To avoid that fate, the site owners and entities directly affected by IoT botnet attacks will act to force responsibility on consumers. I predict that, absent a sea change in consumer behavior, site owners will begin pressuring consumers’ internet service providers (ISPs) to curtail malicious IoT device behavior.
ISPs could possibly introduce metered broadband so that consumers are responsible for increased charges when compromised IoT devices eat up bandwidth while playing their role in DDoS attacks. Alternatively, ISPs may issue warnings and subsequently disable traffic to IoT devices that are recognized as participating in attacks. Needless to say, without connectivity, IoT devices quickly become as useful as a door stop.
Unless consumers start changing their purchasing habits, ISPs may be pushed to create an environment where frustrated users’ fill their smart trashcans with worthless disabled devices. Once that starts happening, consumers will demonstrate a newfound appreciation for IoT device security very quickly, the market will shift to meet this demand, and the internet will be a safer place.