A University of California, Berkeley Report reveals that the cost of malware- and botnet-affected devices could run into millions of dollars for their owners.
A DDoS attack on a website run by a security journalist cost connected device owners nearly $324,000, according to research carried out by the Berkeley School of Information at the University of California at Berkeley.
According to the report, around 24,000 devices were used as part of the Mirai botnet to attack the Krebs on Security website, run by veteran journalist, Brian Krebs. The attack was carried out back in September 2016, but researchers have only now explored how it and similar types of attack affect the devices that are caught up in them, as well as the owners of targeted sites.
The attack was powered by the first version of Mirai. Connected devices infected with the malware hit the website for 77 hours with up to 620GB of data per second.
The Berkeley School of Information has calculated that, with the extra energy consumption and bandwidth costs, the botnet used in the attack would have cost device owners $323,973.75, or $13.50 for each device.
The researchers report that in tests on infected devices, they observed increases in electricity consumption, and “significant increases in bandwidth usage in infected devices when compared with non-infected devices operating normally”.
They also found that “infected devices cause a degraded user experience for the device owner, as devices that are involved in attacks can interfere with the owner’s use of both the device and the network to which it is connected”.
Worse-case scenario: $68m
The research quantifies a worst-case scenario, with the Mirai botnet operating at peak power in a UDP DDoS attack. According to the report, the number of devices controlled by the botnet briefly hit a peak of 600,000 at the end of November 2016.
“We chose to model a UDP attack because, based on our research results, these attacks consume more bandwidth than TCP SYN attacks and are likely to create greater resource consumption costs,” says the report. “This scenario assumes a sustained attack lasting 50 hours, which we believe to be on the upper end of attack durations, but less than the observed 77-hour attack on KrebsOnSecurity.
“The projected cost to consumers of this attack would be $68,146,558.13. Increased energy consumption accounts for just $855.00 of that total cost, with the rest accumulated from increased bandwidth consumption. The per-device cost to the consumer for this hypothetical worst-case scenario is $113.58, likely a non-negligible amount for most device owners.”
Lax behaviour
The report warns that both manufacturers and users are engaging in behaviour that unnecessarily increases IoT device vulnerability.
“On the manufacturer side, many devices run lightweight Linux-based operating systems that open doors for hackers,” continues the report. “Consumers’ actions, too, contribute to the insecurity of IoT devices. Consumers who expect IoT devices to act like user-friendly ‘plug-and-play’ conveniences may have sufficient intuition to use the device, but insufficient technical knowledge to protect or update it.”
The researchers hope that the report will help to raise the base level of security in the market by making private individual costs more explicit. “If consumers are unaware of the costs they incur because of their insecure IoT devices, they are likely to purchase a greater quantity of insecure devices than is socially optimal,” they say. “However, by making existing private costs visible and injecting them into consumers’ purchasing decisions, we can bring private costs closer to social costs.”
Internet of Business says
The research provides an invaluable new voice in the IoT security conversation, with previous reports pointing out strategic failures, the vulnerabilities of industrial IoT systems, the lack of basic security procedures when introducing IoT networks into the enterprise, the vulnerability of popular smart home devices, including Amazon’s Alexa-powered devices, the serious risk from unsecured cameras, and the rising problem of processing resources being stolen to mine cryptocurrency.
Hopefully, by exposing how poor security can hit both organisations and private individuals where it hurts, in their wallets, more people will take at least basic precautions.