Blog

2017 Prediction: Criminals harness IoT devices as botnets to attack infrastructure

Stroz Friedberg is a specialized risk management firm built to help clients solve the complex challenges prevalent in today’s digital, connected, and regulated business world

2017 Prediction: Criminals harness IoT devices as botnets to attack infrastructure

For the second year in a row, leveraging the intelligence and insights gained by working on the front lines of the biggest and most complex cyber challenges, Stroz Friedberg, an Aon company, has launched its 2017 Cybersecurity Predictions. The report highlights the cyber trends and threats that will most strongly impact companies and individuals in the coming year. We’ll be introducing these predictions to our readers in a series of blog posts that we hope can serve as a launching pad to assess your vulnerabilities, and inspire action to mitigate cyber threats and chart a course forward. Given the popularity of gifting smart gadgets this holiday season, we’re kicking off this series with our prediction about Internet of Things (IoT) device security.

In 2017 we will see IoT devices compromised, harnessed as botnets, and used as launching points for malware propagation, SPAM, DDoS attacks, and anonymizing malicious activities.

As we predicted last year, 2016 was the year criminal activity exposed the vulnerability of IoT devices. The massive 2016 Distributed Denial of Service (DDoS) attack on internet infrastructure provider Dyn, caused by criminals infecting an army of unsecured IoT devices, including internet-connected DVRs, webcams, and cameras with malware, resulted in disruptions for access to major consumer websites including Twitter, Spotify, Amazon, and Netflix. The assault on Dyn[1] came shortly after the largest DDoS attack on record, launched from an IoT-enabled botnet of hacked devices attempted to knock the security blog KrebsOnSecurity.com offline[2].

This trend will intensify in 2017. Gartner predicts there will be nearly 26 billion internet-connect devices by 2020[3], and the smart home market alone is expected to reach $121.73 billion by 2022[4]. Verizon reported that IoT revenues were $217 million in Q3 of 2016, up 24 percent from the comparable period last year. With such a huge market opportunity and no baseline security regulations or standards in place for manufacturers, the number of everyday objects that present serious security risks will increase materially in 2017. At the same time, the number of DDoS attacks will grow— we’ve already witnessed rapid growth in 2016 with DDoS attacks increasing 71 percent in Q3 2016[5].

Beyond DDoS attacks, this year we will also see a rise in ransomware attacks against the IoT, aimed at extorting more money and disrupting both business and consumer activity through connected devices. In 2017, more U.S. employees will show up to work only to find their access to data blocked; patient files will be sealed in demand for payment, as in the 2016 Hollywood Presbyterian Medical Center attack[6]; and we predict an internet-connected hospital technology, such as an HVAC system, will likely be held hostage in demand for bitcoin payment. At the consumer level, a Nest system may demand part of a bitcoin for the homeowner to control the heat again and hobbyist drones will be found to be susceptible to remote control take-over, or used to conduct reconnaissance for a physical break-in.

Despite calls from the security community for government regulation and set security standards to address the unprecedented risks posed by IoT devices, nothing significant has been issued. To the chagrin of security practitioners and the delight of manufacturers, consumers have yet to realize that their seemingly innocuous devices could be a national security risk. There continues to be little financial incentive for conducting standard security assessments or integrating firewalls into IoT devices and manufacturers focused on getting products to market efficiently and profitably won’t proactively drive improvements to security standards, or take the lead in integrating security into design. Many prominent consumer technology associations view consumer-led best practices, rather than government intervention, as the way forward.

BOTTOM LINE:

While the conversation around IoT devices has switched from functionality to security, words have yet to be translated into actions. As long as this rapidly growing body of devices is unsecured, expect to see criminals exploiting them as an empowering platform from which to launch major attacks and they will often be directed at third parties. The fact that the IoT can be weaponized to attack third parties like Dyn and Krebs will lead to increased pressure for more responsible care over digital assets. As consumers wise up to these risks, their buying power could be a powerful voice in forcing manufacturers and governments to take the threat seriously.

To see how our 2016 predictions measured up and read the full 2017 Cybersecurity Predictions report, CLICK HERE.

[1] Dyn.com, Dyn Statement on 10/21/2016 DDoS Attack, October 22, 2016 http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/[2] KrebsonSecurity.com, KrebsonSecurity hit with Record DDoS, September 2016 https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/

[3] Gartner, “Forecast: The Internet of Things, Worldwide, 2013,” December 12, 2013. https://www.gartner.com/doc/2625419/forecast-internet-things-worldwide-

[4] Markets and Markets, “Smart Home Market by Product Report,” May 2016. http://www.marketsandmarkets.com/Market-Reports/smart-homes-and-assisted-living-advanced-technologie-and-global-market-121.html?gclid=CNrckM6Gq9ACFUgbaQodA-8gEVQ-

[5] Akamai Technologies’ third quarter 2016 State of the Internet/Security Report. https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q3-2016-state-of-the-internet-security-report.pdf

[6] LA Times, Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating, February 16, 2016. http://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html

Legal

Our lawyers don’t want to miss out on the fun and would like you to know that all of the posts are the opinions of the individual authors and don’t necessarily reflect the opinions or positions of Stroz Friedberg. The ideas and strategies discussed herein may not be appropriate for any one reader’s situation and are not meant to be construed as advice.

Professionals

Commentary, new discoveries, and innovative ideas
right to your inbox.

Stroz Friedberg

Sorry! You are using an older browser which is not supported by this website.

Please download one of these free browsers to enjoy all our website has to offer:
Firefox, Chrome or Internet Explorer.