Attack of "thingbots" now is a thing—really

The accelerating evolution of the internet of things promises advances in quality-of-life areas. No longer will you have to remember to buy milk—your refrigerator will sense that you are getting low and will automatically order more for delivery, as well as automatically pay for it through a cloud-based payments system.

However, the internet of things could also become creepy, and certainly could pose real physical—and fiscal—dangers.

For example, because these new gadgets are connected to the traditional internet, there has been speculation that hackers might be able to commandeer a home’s video baby monitor and spy on the inhabitants.

Or worse, the hackers could commandeer a connected automobile while it is in motion, and drive it, and the inhabitants, off a cliff.

Or they could—and have—taken over the servers that control thousands of websites, such as Twitter, Netflix, Amazon, and PayPal, among others, making them unavailable to their millions of accountholders, at least for a time.

Thingbots take over from traditional botnets

While the baby monitor and automobile examples listed above may (or may not) be apocryphal, the server story actually happened Oct. 21.

The main target was the company Dyn, an internet service provider that operates a massive server farm in New Hampshire. Dyn was the victim of a distributed denial of service attack in which it was bombarded by tens of thousands of simultaneous. They overloaded the company’s ability to respond.

Usually cybercriminals employ botnets to generate the thousands of messages. A botnet consists of hundreds or thousands of secretly infected computers hooked to the internet and activated by some cybercriminal running a command-and-control computer.

What was different with the Dyn attack was that the criminals used what has become known as a “thingbot”—a botnet, according to the blog Globalsign, that is composed mainly of machine-to-machine connected things, such as garage door openers, ovens, washing machines, and the aforementioned refrigerators, baby monitors, and cars.

According to reports, Dyn managed to restore service within about six hours, having dealt with two major attacks. A third attack was thwarted, the company said in a statement.

What is really scary is that law enforcement believes that this is just the beginning of IoT-related cybercrime. The Wall Street Journal reported shortly after the Dyn attack that the FBI issued a confidential bulletin to private companies saying: “The exploitation of the internet of things to conduct small-to-large scale attacks on private industry will very likely continue.”

Banks remain target of choice

It is not clear who initiated the October attack, but cyber forensics experts point to the use of a software known as “Mirai” that has since become openly available on the internet. This alone points to the likelihood of further IoT attacks.

All of which should become top of mind to banks and other financial institutions. After all, they already are under attack.

Just recently, MetricStream Research issued a report finding that 66% of the global financial institutions it surveyed in July faced at least one cybersecurity attack in the last year.

“Now, with the introduction of mobile banking, online banking, the cloud, and other new technologies, cybercriminals have more potential routes to breach an institution’s cyber defenses,” the report says.

The Smart Card Alliance has recognized the severity of the IoT threat to such a degree that it has formed a separate “Internet of Things Security Council” to try to keep pace with it.

Referring to the Dyn attack, Randy Vanderhoof, executive director of the Smart Card Alliance, says: “This is just the latest example of the IoT vulnerabilities that exist today, demonstrating why the security of things is so critical. To protect connected devices and their data, the IoT industry needs the attention, coordination, and commitment to security that the payments industry is putting into securing payments.”

The alliance strongly advocates that security systems be incorporated in the design of IoT devices from the beginning. This should include how communications are authenticated; how access is controlled; how data is protected; how devices are managed during their lifecycle; and how devices may impact other systems.

Sounds reasonable. But, at this stage, likely a tall order due to economics. Juniper Research estimates that the number of connected home appliance shipments is set to reach 202 million a year globally by 2021, rising from just 17 million in 2016.

Furthermore, Juniper estimates that it costs manufacturers just $10 to make a given appliance “smart” now. They might balk at paying more to include extra embedded security features that inevitably would raise their cost of production.

Still, events might change manufacturers’ minds. One example—a report from KPMG on internet-connected automobiles signals how failing to get cybersecurity right could, as it delicately puts it, “have a lasting impact on brand.”

To be fair to KPMG, it quotes Gary Silberg, National Automobile Leader: “Unlike most consumer products, a vehicle breach can be life-threatening, especially if the vehicle is driving at highway speeds and a hacker gains control of the car. That is a very scary, but possible, scenario and it’s easy to see why consumers are so sensitive about cybersecurity as it relates to their cars.”

Not only is there a concern about hacker-caused flaming wrecks, there is the issue that 82% of consumers KPMG surveyed would be wary of buying a car from an automaker if that maker had been hacked.

Protective measures banks can take

It’s pretty easy to draw parallels from this to the banking industry.

A thingbot-caused DDoS attack on a bank certainly would result in great reputation harm to that bank, as well as open it up, while it is preoccupied, to other types of attacks the criminals might launch simultaneously.

So what should a bank do? EY (formerly Ernst and Young) issued a white paper recently titled, aptly, Cybersecurity and the Internet of Things. It concludes with this list of suggestions:

• Know your environment inside and out. Comprehensive, yet targeted, situational awareness is critical to understanding the wider threat landscape and how it relates to the organization.

• Continually learn and evolve. Nothing is static—not the criminals, not the organization, or any part of its operating environment—therefore the cycle of continual improvement remains.

• Be confident in your incident response and crisis response mechanisms. Organizations that are in a state of anticipation regularly rehearse their incident response capabilities.

• Align cybersecurity to business objectives. Cybersecurity should become a standing boardroom issue—a vitally important item on the agenda.

Or heed the words of French Caldwell, Chief Evangelist (his real title) at MetricStream:

“The best defense for organizations is to implement a pervasive and mature cybersecurity program that is integrated with their enterprise risk management framework, driven from the top, and based on the latest industry security standards.”

And double check your video baby monitors.

Sources for this article include:

Connected Appliance Shipments To Pass 200M P.A. By 2021 As Vendors Develop Ecommerce Strategies

Connected Car Data Presents Both Opportunities And Challenges For Auto OEMs: KPMG Report

Cybersecurity And The Internet of Things

FBI Warns Internet Online Attacks On Private Industry Will Continue

Increasing Number Of Financial Institutions Falling Prey To Cyber Attacks

Smart Card Alliance Advocates For Embedded Security In Connected IoT Devices Following Record-Breaking DDoS Attacks

5 Common Cyber Attacks In The IoT—Threat Alert On A Grand Scale

The Cyber Threat: Dyn Cyber Attack Highlights Internet of Things Hacking