How vulnerable is the IoT to DDoS attacks?

How vulnerable is the IoT to DDoS attacks? [Image: chombosan via iStock]

A series of Distributed Denial of Service (DDoS) attacks have recently affected a huge number of connected devices, in what some are saying is the biggest Internet of Things (IoT) hack yet.

The incident resulted in widespread internet downtime across the US, the result of an assault on domain name system (DNS) provider Dyn. It meant that information requests on the internet could not be fulfilled, leading to problems accessing popular websites and services, including Reddit and Spotify.

Kyle York, chief strategy officer at Dyn, said that the DDoS attack on his company was sent through “tens of millions” of IoT connected devices.

Mr York told Sky News: "It is a very smart attack. As we start to mitigate they react and start to throw something that's over the top."

The company has said that the incident has been resolved, but it has raised questions by security experts about the future of the IoT.

Dyn believes that the attack involved devices such as closed circuit security cameras and thermostats, which had been infected with malware.

Experts including tech journalist Kate Bevan and Richard Clarke, former senior cyber policy advisor to US presidents Bill Clinton and George W Bush, have said part of the problem is that many of these connected devices have default passwords that users do not know and cannot change.

Mr Clarke has explained that once the password is guessed – or the malware has entered the device through an automatic update – the devices can be accessed by hackers and turned into bots.

This is precisely what happened during the recent IoT attack. These devices turned into bots and sent pings online to look up site Dyn. This meant that when internet users tried to search for a site, they couldn’t reach them, despite being unaffected themselves.

Now analysts and technical experts are questioning whether the IoT is going to cause problems when connected devices become more widely adopted.

According to CBROnline.com, ransomware, phishing, IoT botnets, DDoS and spyware are the biggest risks of IoT adoption. These issues could all lead to problems accessing websites or other issues, such as data being stolen.

Gizmodo.com have said that the recent attack could be the beginning of a “very bleak future”. The site questioned: “If hackers are able to take down the internet at will, what happens next?”

It warned that “if it becomes easier than ever to launch huge DDoS attacks, that means we might be seeing some of our favourite sites have more downtime than usual”.

Other analysts have said that there are enough protocols in place to avoid this kind of attack becoming a regular phenomenon within the IoT. Chief technology officer at Momentum Worldwide Jason Snyder said that it just takes time to work out where the attack is coming from and then shut it down.

He added that IoT device software can be updated when it next happens.

It remains to be seen whether those who fear for the security of the IoT are right to be so worried.