Hackers Used the IoT to Create an Unprecedented DDoS Attack—Now What?

We asked security expert Dan Lohrmann what a massive cyberattack on cybersecurity journalist Brian Krebs' website means for the wider Internet of Things industry.
By Mary Catherine O'Connor
Oct 10, 2016

For years, security experts have been raising alarms about the poor security with which IoT products were being sold, saying that the failure to build strong authentication measures and other security features into products, from the ground up, would someday lead to a major breach—with perhaps a major manufacturer caught in the crosshairs.

On Sept. 20, that is what happened—except that rather than targeting a household brand, the hackers took aim at an investigative reporter, Brian Krebs, who covers cybersecurity.

Dan Lohrmann
In an attempt to take down his website, KrebsonSecurity, hackers infected a massive network of computers with malware, creating a botnet that perpetrated the largest distribution denial-of-service (DDoS) attack ever recorded.

What is perhaps most alarming about this attack is that the botnet that the hackers created largely comprised IoT devices, namely IP-based video cameras.

Akamai Technologies, which provided Krebs with cloud security services pro bono, deflected the attack for a day but eventually threw in the towel. (Google Shield, a service the search giant recently launched to protect journalists who come under attack from DDoS hacks, has since brought the website under its wing.)

In response to the attack, Shaul Levi, chief scientist at AVG Innovation Labs, a research arm of security software company AVG Technologies, wrote that this attack had broad implications. "The security of families' local data and devices will live or die based on protecting the central entry point to their home network. But equally, there's a responsibility to protect those devices from being used against society as a whole."

We asked Dan Lohrmann, chief security officer at Security Mentor, which provides companies with security awareness training, for his take on the attack. What follows is a transcript of our email-based interview.

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations