The true cost ISPs pay for weak IoT security
The Internet stopped working. This Sci-Fi idea-turned-reality left everyone speechless back in 2016, the year of the most devastating denial-of-service attacks in Internet history.
Powerful outages paralyzed the backbone of the Internet, as the world’s largest telecom operators and hosting providers were knocked off together with their clients, some of the most visited websites in the world. These massive IoT-enabled attacks caused millions of dollars in financial and reputational losses for everyone involved.
Can we afford to let the Internet tremble again?
Sadly, the Internet has become a cyberwar zone, one in which both consumers, businesses and governments are indiscriminately targeted. Be it out of business competitiveness, political interests, hacktivism, or simply financial gain, cyberattacks besiege their victims with unprecedented levels of sophistication and strength.
And, as center pieces of the Internet ecosystem, Internet service providers are prime targets.
The challenges of IoT security
Service providers are fighting an uphill battle with the Internet of Things. The proliferation of smart home appliances has destabilized overall cybersecurity, as millions of devices reach consumers with weak password security, no encryption for data in transit, faulty authentication mechanisms and other missing security defenses. As these devices routinely connect to home or business networks, they become feeble entry points to all the sensitive data transmitted throughout networks.
One apocalyptic scenario has already unfolded, with millions of customers affected. Compromised home routers and other IoT devices formed a network of malware-infected zombie devices and executed advanced denial of service attacks on various strategic targets such as German telco provider Deutsche Telekom, hosting company OVH and Internet infrastructure company Dyn.
Pitfalls of convenience
The number of users and industries leveraging IoT technology is growing, driven by progressively lower costs, great efficiency and applicability in a variety of sectors. Some 100 billion connected devices are expected to be built by 2025.
However, over 70% of connected devices have some kind of security vulnerability, including, but not limited to:
- Weak password-username combinations which are vulnerable to brute-force attacks.
- Inexistent data encryption. During setup, the device ID and MAC address are sometimes transmitted in plain text, while the communication between device and its web application travels unencrypted through the manufacturer’s servers.
- Devices come pre-installed with a communication protocol (Telnet client) bearing weak or default credentials.
Poor security by design helps attackers break into gadgets and repurpose their initial functionalities. For instance, computer webcams, smart toys and connected baby monitors have been heavily used to spy on kids, inside their homes, and there is more than a one-in-four chance the smart TV is spying on the entire family right now.
Once inside the home network, a skilled intruder can also intercept unencrypted traffic including online account credentials, images and sensitive banking data. He can also access or install malware on other computers and connected devices in the compromised home networks.
Real costs for ISPs
Let’s consider that there are 3 people living in a household, each owning up to 5 smart devices (smartphones, wearable fitness bands, smart watches etc.). That’s 15 devices per household. If an Internet service provider has 1 million households in its network, that is 15 million connected devices.
Based on the above statistic, out of these 15 million devices, 10.5 million devices are exposed to cyber-attacks.
“2.1 million home users risk having their personal data stolen. For Internet service providers, that means 2.1 million potential lawsuits for every million households. Or a rock-solid class action lawsuit.“
In the event of a major disruption, an ISP with 1 million households can expect to pay an additional EUR 1 million for extra customer support services, covering an emergency hotline for customer complaints and overtime pay for technical staff.
Additional costs arise from damages in reputation and credibility. 75% of users won’t buy a product from a company if they don’t trust the company to protect their data. Assuming an increase in churn rate of 1% over a period of four months, an Internet service provider may lose approximately 40.000 subscribers. If the average revenue per user is EUR 40, this translates to EUR 1.6 mil in lost revenue for a single DDoS attack.
Downtime caused by a security breach or cyberattack also attracts penalties for not meeting SLA standards. Fines are typically correlated with the amount of time service unavailability exceeded the SLA’s performance guarantee.
“We can safely agree that telecom operators stand to lose millions should wide-scale IoT attacks start happening in connected homes. ISPs can no longer afford to passively watch them develop.” Andrei Petrus – Director, IoT.
The ongoing hurdle of router security
Rewriting Internet laws may seem an impractical solution, yet ISPs can contribute to IoT security in various ways. To fend off DDoS attacks, they can use IP address anti-spoofing techniques known to reduce the likelihood of this type of disruptions.
But there is an easier clean-cut solution: investing in router security. Unfortunately, many SOHO routers, as well as network-attached storage devices are riddled with security vulnerabilities and are regularly being compromised en masse.
Router security and cyber-resilience were never as important as they are in our current age. A flawed or poorly secured gateway leaves an open door to cyber criminals, to infect and subvert devices in user’s homes, without them ever realizing it or caring about it. They are unknowingly becoming zombies in botnet armies used for crypto mining or large scale cyberattacks.
With a flawed network gateway, users’ data privacy and network integrity become compromised in their fullness, regardless of the platforms or devices people are using.
For instance, VPNFilter targeted and infected more than 500,000 consumer-grade routers in 54 countries. This potent malware bypassed TLS encryption and covertly injected malicious traffic to steal very specific sensitive user information and manipulate every bit of data passing through networks. Its global outreach made the FBI issue a warning, advising users to take immediate action by performing device reboots and installing firmware upgrades. And this only one of many recent threats to home security.
Oftentimes, ISPs have been accused of mis-managing remote access functions used for routine configuration maintenance on customer equipment, which left (back)doors open for cybercriminals.
Another obstacle is home users’ lack of knowledge in configuring router settings. Few users change default router passwords to strengthen their network security, confirming the notoriously poor password behaviors of online users.
Lastly, another difficulty in promoting cybersecurity stems from the heterogeneity of IoT devices. Deploying security for each type of router or smart device is almost impossible, as technologies and firmware remain diverse and proprietary. That is why router security, or approaching security at the network level, is the only viable solution.
Stepping up to the IoT challenge with home network security
ISPs can play an active role in managing security for customers’ IoT devices by offering home network security as a value-added service. DDoS attacks originating from home devices can be stopped at the source – in home networks – to ensure reliability of service while preserving legitimate IoT traffic.
Embedding home network security in routers can help internet service providers differentiate themselves on a crowded market and raise the bar in consumer protection.
ISPs who offer network security to their customers can expect:
- Increased revenue
- Enhanced customer loyalty
- Higher lifetime value of customers
But what would be the perfect solution? A modular AI-powered software solution like Avira SafeThings would secure connected homes directly through the routers, whether new or existing. It would protect smart home devices from hijacking, ransomware, and malicious attacks. Such a solution could help ISPs shape new value-added services around home network security.