Client Alert: Internet of Things Vulnerabilities

This event resulted in massive business interruption and the failure of cornerstone internet businesses.

Attackers flooded servers run by Dyn, a DNS provider, with a crippling volume of traffic, rendering it unable to serve legitimate users and forcing offline numerous top websites, including Twitter, Spotify, Netflix, Airbnb, Reddit, The New York Times and the Wall Street Journal. Users throughout the Eastern United States and Canada reported outages of these and other of major sites.

What makes this attack particularly worrisome is that it was driven by the Internet of Things ("IoT") devices. It is currently estimated that there are over 6.4 billion Internet of Things devices, and these are computational devices as diverse as logistical tracking systems for the trucking industry to home automation systems, Fitbits, smart TVs and surveillance cameras.

It appears that a large amount of the malicious traffic came from devices within the Mirai botnet, a malicious system which attacks ordinary IoT devices such as surveillance cameras and home routers, and uses them to engage in these malicious attacks. Hundreds of thousands of people around the world were unaware that they were participating, via their home network appliances, in one of the largest 'denial of service' attacks in history.

This attack comes just weeks after similar exploits were unleashed on French hosting company OVH and a leading information security journalist, Brian Krebs. These attacks highlight gaping holes in IoT security and underscore the urgent need for device manufacturers, internet companies and users to address these issues.

Duff & Phelps’ team of investigators, subject matter experts and technologists are available to discuss these and other issues related to IoT including policy, best practices, corporate risks and other emerging issues.