A Cyber-attack via the Internet of Things (IoT)

Published: October 26, 2016

CybersecurityInternet of Things

A recent massive cyber-attack that disrupted a large portion of the U.S. Internet used Internet-connected consumer devices to launch the attack, highlighting vulnerabilities of the Internet of Things (IoT).

Later that day, Wired magazine reported that a persistent distributed denial of service attack (DDoS) that took down a big chunk of the Internet for most of the eastern seaboard of the U.S. was aimed at Dyn, a New Hampshire-based Internet infrastructure company that offers Domain Name System (DNS) services, essentially acting as an address book for the Internet that directs a Web site addresses sent from a Web browser to the proper IP addresses to retrieve the relevant data. A DDoS attack seeks to paralyze a DNS server by overwhelming it with massive numbers of repeated lookup requests, effectively making it incapable of actually completing any. In this case, Dyn’s servers were hit by a torrent of requests maliciously created from tens of millions of IP addresses. The FBI and the Department of Homeland Security are investigating the incident.

In the aftermath it was learned that DVRs and Internet-connected cameras produced by Hangzhou Xiongmai Technology, a Chinese electronic components manufacturer, were exploited in the attack through the use of malware to create a botnet. (Subsequently, HXT announced a recall on 4.3 million of their products from the U.S. market, citing end-users’ tendency to not change the device’s default passwords as the primary security problem.)

DDOS attacks via IoT device botnet are not a new thing. Reports of using Internet-connected CCTV cameras to create a botnet for attacks hit in the early summer of 2016 and in October 2015.

While the latest DDOS attack was directed at a commercial company, federal agencies – especially the Department of Defense (DoD) – will take note as they continue to deploy consumer-grade, commercially available, sensor-based technologies and look to leverage the data streams these devices afford. Earlier this year, the Air Force issued a request for information (RFI) to investigate how they could leverage IoT-based data for decision-making.

Managing the risk of IoT is a major issue and commercial off-the-shelf (COTS) cameras and the like are not the only items of concern among federal authorities, especially at the Pentagon. The Joint Staff recently warned against using equipment made by China’s Lenovo computer manufacturer amid concerns about cyber spying against DoD networks.  

As IoT becomes more embedded into real-time operations – from building management and logistics to battlefield mission execution – the stakes of maintaining security and the continuity of operations becomes even more critical. Recognizing the opportunities and the risks, IoT has received attention from both policy makers and industry experts. Last year, the U.S. Senate passed a bipartisan resolution calling for a national strategy on IoT. Throughout 2016, the Internet Policy Task Force at the Department of Commerce’s National Telecommunications and Information Administration has been looking at the benefits, challenges, and potential roles for the government in fostering the advancement of IoT. Recently, the Information Technology and Innovation Foundation released a report that highlighted key challenges to federal adoption of IoT.

The latest Dyn DDoS attack also brought a response from lawmakers. Senator Mark Warner of Virginia issued a series of question to the Federal Communications Commission on how to prevent such attacks, the implications of which stretch far beyond federal networks.

As the ongoing challenges of IoT continue, federal agencies will need to adjust to these realities to both effectively leverage IoT as well as limit their risk exposure. At present, there seems to be a dichotomy between the push to employ IoT-enabled devices to increase effectiveness and save money and the general risk-averse culture that is common in the federal space. This dichotomy may only be exasperated by the pace of technological innovation unless the inherent security of devices and networks are improved as well.