Most IoT devices have vulnerabilities that leave them open to DDoS attacks, according to Bitdefender's telemetry. There's no easy fix to such a complex problem, but there are clever ways to prevent smart devices from serving the malicious intents of criminals.
The number of IoT devices is expected to reach 24.1 billion by 2020, representing a 350% increase from the 6.7 billion we had at the end of 2019. IoT botnets have been the primary force behind DDoS attacks for some time, and there's no reason to believe that will change any time soon. The rapid expansion of the IoT industry pretty much guarantees that, left unchecked, it's actually set to become an even bigger problem.
One of the most prolific IoT bots, Mirai, managed to cripple a good part of the US Internet for just a few hours, in 2016. It targeted a major DNS provider, which in turn affected services such as Twitter, Netflix and Spotify. Moreover, 6% of US Fortune 500 corporations suffered various outages from the loss of DNS resolution.
That was four years ago. Since then, the Mirai source code became public, and numerous variants started to crop up all over the place, not to mention new versions that seem to be designed from scratch to take advantage of the existing IoT hardware.
Weaponizing our smart homes
The Internet of Things is an umbrella term to describe all devices connected to the Internet, which means they are all potentially exposed to being compromised by hackers.
People already have smart homes, even if they don't realize it. Even if all you have in your house is a smart TV, that's enough to qualify. If the device has vulnerabilities, which is a safe bet for many of them, it could potentially be used (or at least compromised) by attackers.
The problem with most smart devices is that either the security of the device was not a priority for the manufacturer, or it's old enough to never receive security fixes again. Other times, users are to blame because they don't bother installing updates. Just ask yourself: when was the last time you checked for updated firmware for your router? The device that's collecting dust in a corner -- the lone faithful guardian of your home network?
Common types of vulnerabilities
Let's say you're a responsible user and want to know which of your devices are vulnerable. Unfortunately, regular users don't normally have the tools to figure that out. Especially if there are many smart devices, they’d need assistance from an intelligent security solution that can detect connected devices – such as the Bitdefender IoT Security Platform.
One platform feature that requires no user intervention is the Vulnerability Assessment. Through this technology, the vulnerable devices in a home are indexed, and the user is notified. Furthermore, additional protection is extended for all types of IP-connected devices as well.
Bitdefender's telemetry reveals the ugly truth. Most vulnerabilities in IoT devices allow for denial of service attacks (46.7%), followed by buffer overflows (18.18%), gaining information (17.41%), arbitrary code execution (14.39%), and privilege escalation (10.51%). There are a few others, but these represent the bulk of common vulnerabilities. This data is valid for April, 2020, but the numbers haven’t changed significantly from even a year earlier.
Vulnerable devices include game consoles, old phones, smart TVs, laptops, smart devices powered by AI assistants, media players, fridges, switches, routers, and much more. We are surrounded by so many IoT devices in our day-to-day life that we don't even acknowledge them anymore. But they are there, and many are vulnerable.
Ideally, users’ protection should be covered by the ISP through home gateways with security capabilities, such as those provided by the BitdefenderIoT Security Platform. It makes sense for ISPs to provide such value-added services to their customers, and it helps keep their infrastructure protected too.
We should always keep our home security in mind, especially when choosing the right ISP. It's no longer enough to get access to the Internet. Smart home security is something that every network operator should have in their portfolio, showing users their commitment to better online experiences for us all.