Popular chat service Discord experienced issues today due to network problems at Cloudflare and a wider internet issue. The app was inaccessible for its millions of users, and even Discord’s website and status pages were struggling. Discord’s problems could be traced to an outage at Cloudflare, a content delivery network. Cloudflare started experiencing issues at 7:43AM ET, and this caused Discord, Feedly, Crunchyroll, and many other sites that rely on its services to have partial outages.
Cloudflare says it’s working on a “possible route leak” affecting some of its network, but services like Discord have been inaccessible for nearly 45 minutes now. “Discord is affected by the general internet outage,” says a Discord statement on the company’s status site. “Hang tight. Pet your cats.”
“This leak is impacting many internet services including Cloudflare,” says a Cloudflare spokesperson. “We are continuing to work with the network provider that created this route leak to remove it.” Cloudflare doesn’t name the network involved, but Verizon is also experiencing widespread issues across the East Coast of the US this morning. Cloudflare notes that “the network responsible for the route leak has now fixed the issue,” so services should start to return to normal shortly.
Cloudfare explained the outage in an additional statement, commenting that “Earlier today, a widespread BGP routing leak affected a number of Internet services and a portion of traffic to Cloudflare. All of Cloudflare’s systems continued to run normally, but traffic wasn’t getting to us for a portion of our domains. At this point, the network outage has been fixed and traffic levels are returning to normal.”
Update June 18, 2019 3:20pm CT: Ubisoft has resolved issues stemming from today’s DDoS attack and all services have been restored.
Ubisoft says it’s suffering from a series of distributed denial-of-service (DDoS) attacks. They hit right as Rainbow Six Siege’s Operation Phantom Sight is getting underway and are currently affecting server connectivity and latency.
In a DDoS attack, a web service or website is flooded with an overwhelming amount of traffic making it unstable and unusable. While it’s not clear who’s responsible for the attack, Ubisoft says it’s working to remedy the issues, according to its support page. Ubisoft put out a similar statement when it was hit by a large DDoS attack just under a year ago.
Fans should be aware that Ubisoft services are likely to be impacted until the issue is resolved. Last time a large scale DDoS attack hit Ubisoft it took about 10 hours for the company to be able to remedy the situation.
With the new operators of Operation Phantom Sight just being rolled out for all to play, it’s a bummer that some may not get to try them out until the issue is resolved.
Telegram founder Pavel Durov has suggested that the Chinese government may have been behind a recent DDoS attack on the encrypted messaging service. Writing on Twitter, the founder called it a “state actor-sized DDoS” which came mainly from IP addresses located in China. Durov noted that the attack coincided with the ongoing protests in Hong Kong, where people are using encrypted messaging apps like Telegram to avoid detection while coordinating their protests.
The attack raises questions about whether the Chinese government is attempting to disrupt the encrypted messaging service and limit its effectiveness as an organizing tool for the hundreds of thousands of demonstrators taking part in the protests. Bloomberg reports that encrypted messaging apps like Telegram and FireChat are currently trending in Apple’s Hong Kong App Store, as demonstrators attempt to conceal their identities from Hong Kong’s Beijing-backed government.
As well as using encrypted messaging apps, Bloomberg notes that protesters in Hong Kong are also covering their faces to avoid facial recognition systems. They’re also avoiding the use of public transit cards that can link location to identities.
Telegram’s Twitter account said that the service had been hit with “gadzillions of garbage requests,” mostly from IP addresses originating in China, as part of the DDoS attack which had stopped the service from being able to process legitimate requests from users. It said that these garbage requests tend to be generated by botnets, networks of computers infected with malware. “This case was not an exception,” Durov tweeted without elaborating.
Many companies underestimate the threat of DDoS, but 5G’s faster speeds and greater mobility will undoubtedly make attacks even more destructive.
When Airbnb, Netflix, GitHub, Twitter, CNN, Spotify, Reddit, and many other websites became fully or partially unavailable in October 2016, millions of users found it a mild nuisance. But for DNS provider Dyn, which was on the receiving end of massive DDoS attacks fuelled by a gigantic botnet, it caused mayhem.
This DDoS attack made it clear that cybercriminals are making bold moves that can potentially bring down the internet.
Fast forward to 2020: the impending deployment of 5G gives attackers more firepower than ever by creating easily exploitable targets they can enlist into botnets that overpower traditional DDoS defenses.
Along with experts’ warnings, available data highlights this trend. The ENISA Threat Landscape Report 2018 confirms that DDoS attacks are continuously evolving:
Close to 45% of DDoS attacks lasted for over 90 minutes while 4.62% of them persisted for 20+ hours
The average DDoS attack went on for 318.10 minutes, while the longest one continued for a stupefying six days, five hours, and 22 minutes
The first terabit DDoS was recorded in 2018 against GitHub (1.35Tbps), shortly followed by another one targeting Arbor Networks (1.7Tbs).
DDoS attacks have been around for 20 years, but the current tech environment is fuelling a renewed interest for them, with 5G set to play a fundamental role.
Factors that favour massive DDoS attacks in the 5G era
Security specialists cannot afford to overlook the appeal that 5G has to cybercriminals looking to make a hefty payday. Here are the factors that makes it easy for them to launch destructive DDoS attacks that put businesses at risk of complete shutdown.
1. Innovation outpaces the ability to secure it
The gap between adopting new tech and properly securing it is becoming steeper, and issue that regains prominence as 5G and AI has become a business reality.
Cybersecurity has moved from cost to necessity, but most decision makers haven’t made it a board-level priority, and attackers are fully aware of that.
2. DDoS for hire is cheaper than ever before
The cybercrime economy makes services like DDoS for hire prevalent and easily accessible. A 24-hour DDoS attack against a single target can cost as little as US$ 400. Access to cheap bots is significantly damaging to internet service providers (ISPs), as the average cost of such an attack rose to US$ 2.5 million in 2017.
3. 5G brings hyperconnectivity and expands the attack surface
While 5G has tremendous potential for growth and innovation, it comes with a huge caveat. Connecting more devices faster inevitably leads to an influx of malicious traffic. Attackers will exploit poorly secured devices and use the millions of leaked (and reused) credentials to build botnets that make Mirai look like a proof-of-concept.
The biggest risk is that large-scale DDoS attacks take down financial institutions and critical infrastructure. Thus, DDoS mitigation that can cope with attacks in the range of terabits becomes a crucial necessity.
4. Insufficient resources to tackle imminent dangers
CISOs already struggle to get resources to handle current threats while business leaders push for 5G adoption. Meanwhile, cybercriminals will take the opportunity to exploit higher capacity bandwidth that 5G provides to launch attacks on an unprecedented scale.
The companies must accept the responsibility for DDoS mitigation with consolidated security. Many companies underestimate the threat of DDoS, but 5G’s faster speeds and greater mobility will undoubtedly make attacks even more destructive. Business and security leaders must make a conscious decision to prioritize anti-DDoS measures.
By adopting custom-built solutions designed specifically to detect and defeat DDoS attacks, businesses can keep operations running smoothly. Moving focus from on-premise hardware firewalls to choosing a globally distributed network of scrubbing centers with unrivaled mitigation capacity may be a winning card in the Anti-DDoS battle.
Network operators must scrupulously monitor anomalous activity, access, and traffic patterns to curb large DDoS attacks.
CSPs must consider high-volume DDoS mitigation services and combine them with deep packet inspection (DPI) that doesn’t impact legitimate traffic or streaming quality.
It’s important to keep in mind that, once 5G is deployed, companies and individual users alike expect flawless connectivity and network performance, along with uncompromised security and privacy. In the coming years, balancing service quality with security is what will set visionary CSPs apart from the rest.
Lawmakers tackle safety and security issues, while an Internet Society survey said a majority of people find the devices ‘creepy.’
The safety and security of internet of things (IoT) devices remains a vexing issue for lawmakers, while a survey from the Internet Society shows there is still some way to go before reaching widespread public acceptance of IoT connectivity.
The survey, conducted in six countries by polling firm IPSOS Mori, found that 65% of those surveyed are concerned with how connected devices collect data, while 55% do not trust those devices to protect their privacy. Meanwhile, 63% of those surveyed said they find IoT devices, which are projected to number in the tens of billions worldwide, to be “creepy.”
Those concerns were at the forefront of a hearing last week on IoT security by the U.S. Senate Committee on Commerce, Science and Transportation’s Subcommittee on Security, where lawmakers and witnesses debated how to make the devices safer and more transparent for consumers, and what the role of the federal government should be in legislating that. It’s a dilemma for policymakers and industry leaders who must wrestle with these questions.
“We can’t put the genie back in the bottle,” Internet Society president and CEO Andrew Sullivan told Smart Cities Dive. “We have invented this technology, so we’re going to have to figure out how to cope with it now. We have to figure out how are we going to make this technology something that better serves the people, the consumers who are buying it.”
Risks and concerns
Consumers are turning to internet-connected devices, and while they present enormous opportunities for convenience, they are not without risks.
In prepared testimony before the subcommittee, Robert Mayer, senior vice president for cybersecurity at the United States Telecom Association (USTelecom) said there is “ample evidence of IoT security vulnerabilities,” with incidents like cameras being used for spying, personal information being stolen and hackers taking control of devices like smart thermostats.
“Concerns of this kind can have a massive influence on public perception of technologies, and if not addressed in meaningful ways, trust in the digital ecosystem will erode, causing unpredictable levels of disruption and economic harm,” Mayer’s testimony reads.
There have already been several major hacks of IoT devices, including the Mirai DDoS botnet attack in October 2016 that rocked technology company Dyn and resulted in the dramatic slowing or bringing down of the internet across the East Coast and elsewhere in the world.
In written testimony, Mike Bergman, vice president of technology and standards at the Consumer Technology Association (CTA), warned of the international nature of the attack; 89.1% of the attack traffic originated from devices installed outside the United States, he said.
Security headlines continue to focus on high-profile breaches of Fortune-ranked enterprises. But there is a second story being ignored. Cybercrime syndicates are also targeting, attacking and breaching small, medium and even micro organizations in greater and greater numbers. Multiple industry studies support this claim, including ones from Cisco and Ponemon.
Why exactly are these organizations being targeted, what are the attacks to defend against and how can these organizations start to defend themselves?
Fast Money With Lower Entry Barriers
Midsize organizations are relatively easy targets. Like enterprises, they are rapidly evolving. They have adopted the cloud and development and operations teams, and they have digitized all their valuable assets. But compared to enterprises, midsize organizations have smaller cybersecurity teams, lower organizational security awareness and fewer critical systems to infect —making them easier to breach and ransom. While cybercriminals still see larger enterprises as higher-value targets, midsize organizations have transformed themselves into low-hanging fruit that cybercrime syndicates are happy to snag. Midsize organizations keep the cash flow for cybercrime syndicates going while they try to earn high payoffs with large enterprise compromise.
Supply Chains Are Vulnerable
Midsize organizations also offer easy entry points into the larger enterprises they service. In many high-profile, large-scale breaches — including the breaches of Target, OPM, Best Buy, Sears and UMG — cybercriminals first compromised their smaller third-party providers and used them to open backdoors into the real target. Large enterprises are taking notice and have begun to demand a high level of cybersecurity maturity from their third-party service providers.
The Evolution Of New Low-Cost Attacks
Attack technologies have evolved. In the past, cyberattacks were relatively resource-intensive, so criminals had to focus their limited resources on large, high-value organizations. However, cybercriminals can now use automated, scalable, on-demand attack infrastructures to quickly launch many sophisticated attacks against a high volume of targets. And smaller organizations are getting caught in this new spray-and-pray approach.
This will only get worse. Every year, cybercriminals will find it easier to launch attacks against many mid-size organizations, use their initial victims and deepen their compromise. And this problem is poised to explode due to artificial intelligence (AI). Cybercrime syndicates have already begun to experiment with AI-driven attack tools. These AI-driven hacking tools will continue to increase the speed and sophistication of cyber threats and only widen the asymmetry between attackers and defenders.
Compromised Machines: Artillery For Future Attacks
Cybercrime syndicates are harvesting small-to-midsize business (SMB) endpoints, converting them into weapons and using them to deploy larger attacks. Most endpoints — including PCs, laptops and mobile devices — are underutilized. Cybercriminals have learned how to compromise these endpoints, run backdoors on them to execute attacks and effectively create a large-scale distributed computing infrastructure to launch their campaigns. They are using thousands of compromised systems to launch smothering DDOS attacks on larger enterprises. They are compromising the email accounts of midsize organizations to bypass spam filters and produce short, effective bursts of phishing emails.
How Can Midsize Organizations Stay Safe?
Cybercrime syndicates will continue to innovate their techniques and scale their attack infrastructure. In fact, with the evolution of AI-driven attacks tools, compromising systems might be a simple voice command away for the attacker. Mid-market businesses will need to focus on the most-used threats because of their limited resources. Luckily, the 80-20 rule applies here, where the large majority of security problems stem from the following handful of threats.
Most mid-size organizations have not implemented mature controls and robust user education programs to prevent phishing attacks, making them high-converting targets for phishing attacks. To get up to speed, midsize organizations need to focus on end-user awareness, strong email gateway security, two-factor authentication (2FA) for authentication and monitoring controls.
Malware attacks are more successful against midsize organizations, as they have smaller and simpler networks, and it takes attackers less time to reach organization crown jewels. In fact, according to a report from Verizon, 58% of malware victims are small organizations. As such, midsize organizations need to focus on detecting malware with good endpoint security, detecting lateral movement of attackers with analytics and rapidly containing successful breaches.
Cloud Console And Storage Attacks
As midsize organizations rush to get their cloud-based infrastructure into production, they often fail to realize that on-premise security mindset does not work in the cloud. Take, for example, storage security in the cloud. Small, inadvertent changes in the cloud can produce global high-impact data loss. Many organizations have suffered data exposure, due to Amazon Web Services S3 buckets being configured for public access.
Cybercrime syndicates are actively taking control of organizations by compromising their cloud consoles to steal data and demand ransom. These attacks are not new. Way back in 2014, Code Spaces completely shut downdue to console takeover. But today, automation is making these attacks faster and more common.
To protect against them, midsize organizations should tighten console access with 2FA, establish tighter role permissions and monitor different cloud components stringently. Simply put, a combination of weak console and storage permissions can prove fatal for any midsize organization.
Web Application Attacks
Web applications have been a weak link traditionally. With the current innovation wave incorporating microservices, containers and federated access — it has become more complex to secure.
Right now, the top web application attacks include SQL injection, cross-site scripting and parameter manipulation. This means mid-size organizations need to focus on building robust web application firewall (WAF) protection, continuously monitor all attack events on their web applications and, of course, ensure secure coding as part of their development, security and operations program.
Of course, it is not an asymmetric game in favor of cybercriminals. Artificial intelligence is part of many cybersecurity tools today, making it easier to detect and respond to these emerging scenarios.
On the 20th anniversary of the first distributed denial of service attack, cybersecurity experts say the internet must be redesigned to prevent them.
July 22, 1999, is an ominous date in the history of computing. On that day, a computer at the University of Minnesota suddenly came under attack from a network of 114 other computers infected with a malicious script called Trin00.
This code caused the infected computers to send superfluous data packets to the university, overwhelming its computer and preventing it handling legitimate requests. In this way, the attack knocked out the university computer for two days.
This was the world’s first distributed denial of service (DDoS) attack. But it didn’t take long for the tactic to spread. In the months that followed, numerous other websites became victims, including Yahoo, Amazon, and CNN. Each was flooded with data packets that prevented it from accepting legitimate traffic. And in each case, the malicious data packets came from a network of infected computers.
Since then, DDoS attacks have become common. Malicious actors also make a lucrative trade in extorting protection money from websites they threaten to attack. They even sell their services on the dark web. A 24-hour DDoS attack against a single target can cost as little as $400.
But the cost to the victim can be huge in terms of lost revenue or damaged reputation. That in turn has created a market for cyberdefense that protects against these kinds of attacks. In 2018, this market was worth a staggering €2 billion. All this raises the important question of whether more can be done to defend against DDoS attacks.
Today, 20 years after the first attack, Eric Osterweil from George Mason University in Virginia and colleagues explore the nature of DDoS attacks, how they have evolved, and whether there are foundational problems with network architecture that need to be addressed to make it safer. The answers, they say, are far from straightforward: “The landscape of cheap, compromisable, bots has only become more fertile to miscreants, and more damaging to Internet service operators.”
First some background. DDoS attacks usually unfold in stages. In the first stage, a malicious intruder infects a computer with software designed to spread across a network. This first computer is known as the “master,” because it can control any subsequent computers that become infected. The other infected computers carry out the actual attack and are known as “daemons.”
Common victims at this first stage are university or college computer networks, because they are connected to a wide range of other devices.
A DDoS attack begins when the master computer sends a command to the daemons that includes the address of the target. The daemons then start sending large numbers of data packets to this address. The goal is to overwhelm the target with traffic for the duration of the attack. The largest attacks today send malicious data packets at a rate of terabits per second.
The attackers often go to considerable lengths to hide their location and identity. For example, the daemons often use a technique called IP address spoofing to hide their address on the internet. Master computers can also be difficult to trace because they need only send a single command to trigger an attack. And an attacker can choose to use daemons only in countries that are difficult to access, even though they themselves may be located elsewhere.
Defending against these kinds of attacks is hard because it requires concerted actions by a range of operators. The first line of defense is to prevent the creation of the daemon network in the first place. This requires system administrators to regularly update and patch the software they use and to encourage good hygiene among users of their network—for example, regularly changing passwords, using personal firewalls, and so on.
Internet service providers can also provide some defense. Their role is in forwarding data packets from one part of a network to another, depending on the address in each data packet’s header. This is often done with little or no consideration for where the data packet came from.
But that could change. The header contains not only the target address but also the source address. So in theory, it is possible for an ISP to examine the source address and block packets that contain obviously spoofed sources.
However, this is computationally expensive and time consuming. And since the ISPs are not necessarily the targets in a DDoS attack, they have limited incentive to employ expensive mitigation procedures.
Finally, the target itself can take steps to mitigate the effects of an attack. One obvious step is to filter out the bad data packets as they arrive. That works if they are easy to spot and if the computational resources are in place to cope with the volume of malicious traffic.
But these resources are expensive and must be continually updated with the latest threats. They sit unused most of the time, springing into action only when an attack occurs. And even then, they may not cope with the biggest attacks. So this kind of mitigation is rare.
Another option is to outsource the problem to a cloud-based service that is better equipped to handle such threats. This centralizes the problems of DDoS mitigation in “scrubbing centers,” and many cope well. But even these can have trouble dealing with the largest attacks.
All that raises the question of whether more can be done. “How can our network infrastructure be enhanced to address the principles that enable the DDoS problem?” ask Osterweil and co. And they say the 20th anniversary of the first attack should offer a good opportunity to study the problem in more detail. “We believe that what is needed are investigations into what fundamentals enable and exacerbate DDoS,” they say.
One important observation about DDoS attacks is that the attack and the defense are asymmetric. A DDoS attack is typically launched from many daemons all over the world, and yet the defense takes place largely at a single location—the node that is under attack.
An important question is whether networks could or should be modified to include a kind of distributed defense against these attacks. For example, one way forward might be to make it easier for ISPs to filter out spoofed data packets.
Another idea is to make data packets traceable as they travel across the internet. Each ISP could mark a sample of data packets—perhaps one in 20,000—as they are routed so that their journey could later be reconstructed. That would allow the victim and law enforcement agencies to track the source of an attack, even after it has ended.
These and other ideas have the potential to make the internet a safer place. But they require agreement and willingness to act. Osterweil and co think the time is ripe for action: “This is a call to action: the research community is our best hope and best qualified to take up this call.”
Ref: arxiv.org/abs/1904.02739 : 20 Years of DDoS: A Call to Action
Five days ago, Ecuador revoked Julian Assange’s 7-year long asylum and turned him over to the UK authorities, which promptly arrested the Wikileaks chief.
Since then, Ecuador claims to be under siege from Assange supporters and “groups linked” to him.
Patricio Real, Ecuador’s deputy minister for information and communication technology, said in a statement that the webpages for his country’s public institutions experienced 40 million cyber-attacks.
Among the hardest hit were pages for the central bank, the foreign ministry and the president’s office.
“During the afternoon of April 11 we jumped from 51st place to 31st place worldwide in terms of the volume of cyber attacks,” he said.
The deputy minister said that the attacks “principally come from the United States, Brazil, Holland, Germany, Romania, France, Austria and the United Kingdom,” but that countries from South America also show up on the list.
No major hacking groups were named in Ecuador’s statement, though famed Anonymous apparently made a threat.
Real also didn’t specify what type of attacks Ecuador’s website experience. He mentioned that no hacker managed to steal government data but that the attacks prevented some employees and citizens from accessing their accounts.
As Real called the attacks “volumetric,” he most likely referred to a type of DDoS attack in which hackers send a lot of traffic to a website hoping to overwhelm it.
While this is a serious threat to a network, the attack itself can be perpetrated even by those without a lot of technical knowledge.
Ecuador will receive cybersecurity support from Israel to handle the incidents. It has also made motions to arrest a suspect, Swedish citizen close to Assange.
Right now, Julian Assange is in the UK authorities’ hands and waiting to see if he will be extradited to the US to face conspiracy charges.
He was also stripped of his Ecuador citizenship, which was granted in 2017 under a different Ecuadorian regime.
VANCOUVER, British Columbia, March 19, 2019 /PRNewswire/ — DOSarrest Internet Security announced today that they have released a new service offering called DOSarrest Traffic Analyzer (DTA). This new service allows subscribers to send their Netflow, Sflow or Jflow network data from their routers and switches to DOSarrest’s Big Data cluster, then login to their portal and graphically see what types and volumes of traffic are flowing in and out of their networks in almost real-time. Using this traffic intelligence, network operators can pinpoint the cause of any congestion, create their own ACLs to white-list or black-list any malicious networks. It gives engineers the intelligence they need to understand how their network is being used and for what purpose.
Some of the real-time graphical and historical information available in the dashboard is
Top 10 Source Countries Top 10 Source Networks Top 10 Source ASNs Top 10 Source Netblocks Top 10 Destination IPs Top 10 Destination IPs Top 10 Protocols and Ports
DOSarrest CTO, Jag Bains states, “I have been running Internet backbones for over 20 years and having something that is this cost effective has always been a problem, most solutions require expensive hardware and licensing or extensive software development. Setup is easy with DTA, just add 1 line to the router config and you’re done.”
This new service can also be combined with DOSarrest’s existing DDoS protection for network infrastructure service, where customers, using the same dashboard can automatically stop any DDoS attack on a customer’s data center or corporate network.
CEO Mark Teolis adds, “This service is really in its infancy, we are already working on version 2 and we plan on releasing a new version every 90 days thereafter. Once the network flow information is in the big data platform, there’s so much that can be done to extract network intelligence, it’s almost impossible to predict today what and how it can help network operators going forward. We are starting to test with some machine learning models to see what it can do.”
When someone in your organization starts using internet-connected devices without IT’s knowledge, that’s shadow IoT. Here’s what you need to know about its growing risk.
Shadow IoT definition
Shadow IoT refers to internet of things (IoT) devices or sensors in active use within an organization without IT’s knowledge. The best example is from before the days of bring your own device (BYOD) policies when employees used personal smartphones or other mobile devices for work purposes. “Shadow IoT is an extension of shadow IT, but on a whole new scale,” says Mike Raggo, CSO at 802 Secure. “It stems not only from the growing number of devices per employee but also the types of devices, functionalities and purposes.”
Employees have been connecting personal tablets and mobile devices to the company network for years. Today, employees are increasingly using smart speakers, wireless thumb drives and other IoT devices at work as well. Some departments install smart TVs in conference rooms or are using IoT-enabled appliances in office kitchens, such as smart microwaves and coffee machines.
In addition, building facilities are often upgraded with industrial IoT (IIoT) sensors, such as heating ventilation and air conditioning (HVAC) systems controlled by Wi-Fi-enabled thermostats. Increasingly, drink machines located on company premises connect via Wi-Fi to the internet to accept, say, Apple Pay payments. When these sensors connect to an organization’s network without IT’s knowledge, they become shadow IoT.
How prevalent is shadow IoT?
Gartner predicts that 20.4 billion IoT devices will be in use globally by 2020, up from 8.4 billion in 2017. Shadow IoT has become widely prevalent as a result. In 2017, 100 percent of organizations surveyed reported ‘rogue’ consumer IoT devices on the enterprise network, and 90 percent reported discovering previously undetected IoT or IIoT wireless networks separate from the enterprise infrastructure, according to a 2018 report from 802 Secure.
One-third of companies in the U.S., U.K. and Germany have more than 1,000 shadow IoT devices connected to their network on a typical day, according to a 2018 Infloblox report on shadow devices. Infoblox’s research found that the most common IoT devices on enterprise networks are:
Fitness trackers such as Fitbits, 49 percent;
Digital assistants such as Amazon Alexa and Google Home, 47 percent
Smart TVs, 46 percent
Smart kitchen devices such as connected microwaves, 33 percent
Gaming consoles such as Xboxes or PlayStations, 30 percent.
What are shadow IoT’s risks?
IoT devices are often built without inherent, enterprise-grade security controls, are frequently set up using default IDs and passwords that criminals can easily find via internet searches, and are sometimes added to an organization’s main Wi-Fi networks without IT’s knowledge. Consequently, the IoT sensors aren’t always visible on an organization’s network. IT can’t control or secure devices they can’t see, making smart connected devices an easy target for hackers and cybercriminals. The result: IoT attacks grew by 600 percent in 2018 compared to 2017, according to Symantec.
Vulnerable connected devices are easily discoverable online via search engines for internet-connected devices such as Shodan, Inflobox’s report points out. “Even when searching simple terms, Shodan provides details of identifiable devices, including the banner information, HTTP, SSH, FTP and SNMP services. As identifying devices is the first step in accessing devices, this provides even lower-level criminals with an easy means of identifying a vast number of devices on enterprise networks that can then be targeted for vulnerabilities.”
Why aren’t most shadow IoT devices secure?
When PCs were first released decades ago, their operating systems weren’t built with inherent security, Raggo observes. As a result, securing PCs against viruses and malware remains an ongoing struggle.
In contrast, the iOS and Android mobile operating systems were designed with integrated security, such as app sandboxing. While mobile devices aren’t bullet-proof, they’re typically more secure than desktops and laptops.
With today’s IoT and IIoT devices, “It’s like manufacturers have forgotten everything we’ve learned about security from mobile operating systems,” Raggo says. “There are so many IoT manufacturers, and the supply chain for building the devices is scattered all over the world, leading to a highly fragmented market.”
Because IoT devices tend to be focused on just one or two tasks, they often lack security features beyond basic protocols such as WPA2 Wi-Fi, which has its vulnerabilities. The result: Billions of unsecured IoT devices are in use globally on enterprise networks without IT’s knowledge or involvement.
“I bought 10 or 15 IoT devices a few years ago to check out their security,” says Chester Wisniewski, principal research scientist at Sophos. “It was shocking how fast I could find their vulnerabilities, which means anyone could hack them. Some devices had no process for me to report vulnerabilities.”
Have criminal hackers successfully targeted shadow IoT devices?
Yes. Probably the most famous example to date is the 2016 Mirai botnet attack, in which unsecured IoT devices such as Internet Protocol (IP) cameras and home network routers were hacked to build a massive botnet army. The army executed hugely disruptive distributed denial of service (DDoS) attacks, such as one that left much of the U.S. east coast internet inaccessible. The Mirai source code was also shared on the internet, for criminal hackers to use as building blocks for future botnet armies.
Other exploits are available that enable cybercriminals to take control of IoT devices, according to the Infoblox report. “In 2017, for example, WikiLeaks published the details of a CIA tool, dubbed Weeping Angel, that explains how an agent can turn a Samsung smart TV into a live microphone. Consumer Reports also found flaws in popular smart TVs that could be used to steal data as well as to manipulate the televisions to play offensive videos and install unwanted apps.”
Along with amassing botnet armies and conducting DDoS attacks, cybercriminals can also exploit unsecured IoT devices for data exfiltration and ransomware attacks, according to Infoblox.
In one of the oddest IoT attacks thus far, criminals hacked into a smart thermometer inside a fish tank in a casino lobby to access its network. Once in the network, the attackers were able to steal the casino’s high-roller database.
The future potential of IoT-enabled cyberattacks is enough to give CSOs and other IT security professionals concern. “Consider the damage to vital equipment that could occur if someone connected into an unsecured Wi-Fi thermostat and changed the data center temperature to 95 degrees,” Raggo says. In 2012, for instance, cybercriminals hacked into the thermostats at a state government facility and a manufacturing plant and changed the temperatures inside the buildings. The thermostats were discovered via Shodan, a search engine devoted to internet-connected devices.
To date, the impact of IoT device exploits hasn’t been hugely negative for any particular enterprise, says Wisniewski, in terms of exploiting sensitive or private data. “But when a hacker figures out how to make a big profit compromising IoT devices, like using a brand of smart TVs for conference room spying, that’s when the shadow IoT security risk problem will get everyone’s attention.”
3 ways to mitigate shadow IoT security risks?
Make it easy for users to officially add IoT devices. “The reason you have shadow IT and shadow IoT is often because the IT department is known for saying ‘no’ to requests to use devices like smart TVs,” says Wisniewski. Instead of outright banning IoT devices, fast-tracking their approval whenever possible and feasible—within, say, 30 minutes after the request is made—can help reduce the presence of shadow IoT.
“Publish and circulate your approval process,” Wisniewski adds. “Get users to fill out a brief form and let them know how quickly someone will get back to them. Make the process as flexible and as easy for the requester as possible, so they don’t try to hide something they want to use.”
Proactively look for shadow IoT devices. “Organizations need to look beyond their own network to discover shadow IoT, because much of it doesn’t live on the corporate network,” Raggo says. “More than 80 percent of IoT is wireless-enabled. Therefore, wireless monitoring for shadow IoT devices and networks can allow visibility and asset management of these other devices and networks.”
Traditional security products list devices by a media access control (MAC) address or a vendor’s organizationally unique identifier (OUI), yet they are largely unhelpful in an environment with a plethora of different types of devices, Raggo adds. “IT really wants to know ‘what is that device?’ so they can determine if it’s a rogue or permitted device. In today’s world of deep-packet inspection and machine learning, mature security products should provide human-friendly categorizations of discovered assets to ease the process of asset management and security.”
Isolate IoT. Ideally, new IoT and IIoT devices should connect to the internet via a separate Wi-Fi network dedicated to such devices that IT controls, says Wisniewski. The network should be configured to enable IoT devices to transmit information and to block them from receiving incoming calls. “With the majority of IoT devices, nothing legitimate is ever transmitted to them,” he says.
Anything shadowy is a problem
“Shadow anything is a problem, whether it’s an IoT device or any other addressable, unmanaged item,” says Wisniewski. “The key is controlling access to the network from only authorized devices, keeping an accurate inventory of authorized devices, and having clear policies in place to ensure employees know they aren’t allowed to ‘bring their own’ devices and that HR sanctions will be enforced if they do.”