The Internet of Things (IoT) and, specifically, the hunt for exploitable IoT devices by attackers, has been a primary area of research for F5 Labs for over a year now—and with good reason. IoT devices are becoming the cyber weapon delivery system of choice by today’s botnet-building attackers. And, why not? There are literally billions of them in the world, most of which are readily accessible (via Telnet) and easily hacked (due to lack of security controls). Why would attackers rent expensive resources in hosting environments to build their botnets when so many devices are free for the taking?
Across all of our research, every indication is that today’s botnets, or “thingbots” (built exclusively from IoT devices) will become the infrastructure for a future Darknet.
Gartner estimates 63% of in-use IoT devices in 2017 are consumer products, the “audience” that’s least capable of doing something about a device’s inherent vulnerabilities. Even with proper instruction, most devices weren’t designed to accept admin credential changes, so a responsible owner of a home-use IoT device couldn’t do the right thing even if they knew how. Nevertheless, this IoT problem needs proper attention, and most certainly will not be solved in the short term. Product fixes and recalls can be extremely costly for IoT manufacturers and developers, and global legislation would require coordinated efforts on a scale the world has never seen. So, now is the time to act on behalf of your business before another Death Star-sized attack is launched. Our recommendations are:
• Have a DDoS strategy in place, whether it’s an on-premises, cloud-based, or hybrid solution.
• Ensure critical services have redundancy. You aren’t always the direct target. Plan ahead for downstream impact if your service provider is attacked.
• Purchase wisely; money talks! Don’t buy, deploy, or sell vulnerable IoT devices. They could become cyber weapons that turn around and attack businesses. Do your homework before you purchase. If you are conducting due diligence with your IoT manufacturers, use the checklist below when questioning their secure development practices.