Security news site and blog KrebsonSecurity, was hit by the world’s largest denial of service (DDOS) attack last week, with more than 620 gigabits per second hammering its servers into submission. While astounding in its own right, what’s of more concern is the source: not infected PCs, but internet of things (IOT) devices like cameras and routers.
But the attackers didn’t stop there. Whoever was behind the DDOS was only just getting started. Since then we’ve seen assaults that peaked at over a terabit of data per second, with concerns that the botnet has the potential to deliver a further 50 percent more data if the timing is right.
Although as Ars reports, these numbers have yet to be officially confirmed, the sources are rather reliable. It would be easy to dismiss them based on their extravagance, since to date, the largest recorded botnet attack threw 363 gigabits per second of data. However, considering we’ve now seen attacks in excess of three times that much, we would expect to see many more large-scale attacks in the near future.
The reason this was possible at all is because of the Internet of Things. IOT devices have long been considered a security hole in the technological landscape, as they so often operate under the radar, and so receive less scrutiny from users and security professionals. However, they often have the ability to upload a lot of data at once, so it’s not always obvious when they’re used as part of an attack like this one.
We’ve seen hints of IOT devices like home routers being used in DDOS attacks before. The famous downing of the Xbox Live and PlayStation networks in 2015 was in part caused by botnet-connected home network hubs.
Even if you do notice that your IOT device is behaving oddly, reclaiming control of your hardware may not always be easy. By their very nature IOT devices tend to operate behind the scenes, so they often have minimal interfaces or ability to change important settings.
One preemptive security step people can take is to never put their hardware online at all. That may often defeat the point of a bit of smart tech and would of course be redundant for routers or similar devices, but there are a number of devices that don’t really need to be connected online all the time.
At the very least users should change their default passwords. Make them long, make them unique, and change them periodically to play it safe.