Blog: Internet Of Things

IoT DDoS – we haven’t seen the half of it yet. Nor have utilities…

Ken Munro 27 Sep 2016

The recent > 600Gbps DDoS against OVH was apparently twice the size of any previous DDoS that soaking provider Prolexic had ever seen. It’s the first we’re aware of that has been attributed to a bot-net of IoT devices.

We’ve been working in IoT security for several years; my first thought when I saw the story was ‘that’s nothing compared with the traffic that IoT devices are capable of sending’

It’s trivially easy to identify potential victim IoT devices for your bot-net. Shodan does it all for you.

We’ve blogged extensively about numerous examples of IoT gear where remote code execution or at least remote takeover is possible. In this case, it’s believed that IP CCTV cameras were used. Our post describes an attack against CCTV DVRs – just one example of one brand that would be perfect for a DDoS bot net – we found 44,000 of them on Shodan.

How many different CCTV cameras and DVR brands are vulnerable, let alone other IoT devices types? Plenty, I’ll wager. Hence, we are convinced that 600Gbps is a small fraction of the potential DDoS that IoT is capable of.

Another example: You’ll likely have seen our local code execution and ransomware proof of concept on a smart thermostat.


LCE isn’t the same as remote code execution you say. Quite right, but we’ve since found full remote code execution on a very popular brand of smart thermostat. It’s with the vendor currently for remediation, hence no names right now, but there are over 250,000 of these installed in homes according to Shodan. Simple maths suggests upwards of 1Tb DDoS potential. That’s one thermostat from one brand…

We do a lot of consulting and testing in industrial control systems, particularly utilities. That’s when we started to get really concerned. Taking out sites on the internet is a PITA, particularly for those being DDoSsed, but it’s not necessarily a systemic event. It would rarely affect much more than the site being attacked, their host and related internet infrastructure.

Then IoT gets involved…

Compromise and create a bot-net of smart thermostats. Turn them all on concurrently to maximum cooling, ideally to switch an air conditioner on as that’s likely to draw more current that a gas heater. Coincide that with maximum load on the power grid – the loading is usually available online e.g


…bear in mind that start up load on air conditioners and other motorised devices (e.g. fan blowers) is often up to three times their running load.

And you have a power cut.

If it’s widespread over enough IoT devices that consume or trigger electrical power, you could force a black start.

It can take hours to recover fully from a black start event. Hit it in the winter and you have a systemic crisis event; multiple failures in many and various parts of the entire Critical National Infrastructure. No power, no heat. People die.

Is the above realistic? I hope not. It’s certainly possible though, based on our knowledge of IoT and industrial control systems.

What to do?

Until IoT device manufacturers secure their devices, we are all rather exposed.

The bigger brands are slowly getting the hang of security; at least they have a brand to protect and secure, so there is motivation for them to produce secure product.

What concerns me are the ‘me too’ and cheap clone devices. They are produced and sold on price, so there is less incentive to get security right.

There is guidance out there on IoT security. The IoT Security Foundation is a good place to start, as is OWASP, and we’ve also published a set of guidelines and advice.