185 Million Devices May Be Vulnerable to Hackers

DDOS Dyn cyber atomic bomb
Experts warn that massive cyberattacks that knocked websites like Twitter and Reddit offline in October may be a precursor to a "cyber atomic bomb." Creative Commons/ Composite

The internet may be far more vulnerable to attacks from internet-connected devices controlled by hackers than was previously thought, new data suggests.

It is estimated that attacks on the internet in October that caused several major websites to go offline—including Twitter, Reddit and Netflix—were caused by tens of thousands of compromised Internet of Things (IoT) devices, such as smart thermostats, fridges and webcams. New research from security firm BullGuard estimates that up to 185 million devices may be vulnerable to hackers wishing to perform even more devastating attacks.

The widespread disruption to websites on October 21 was caused by a network of compromised devices known as the Mirai botnet. Under the control of hackers, the botnet performed a distributed denial of service (DDoS) attack against critical internet infrastructure, meaning that the target was overloaded with web traffic.

"Mirai scans the internet looking for particular kinds of devices that have an open communication channel—known as a port—through which it can deliver its infection," Paul Lipman, CEO of Bullguard tells Newsweek .

"BullGuard's IoT scanner works by scanning your IP address looking for devices on your network that have ports that are open and can be publicly accessed over the internet."

hacking internet of things ddos mirai
Graphic shows the security risks the Internet of Things faces, and how hackers can launch a DDoS attack. Reuters Graphics

Using data gathered by its IoT Scanner, BullGuard examined about 100,000 devices and discovered that 4.6 percent of them contained vulnerabilities. With around four billion connected devices in the world, this equates to almost 185 million vulnerable devices—described by BullGuard as "orders of magnitude" higher than was used in the October attacks.

Projections from technology research firm Gartner suggest there will be more than 20 billion IoT devices by 2020, while estimates from ABI Research put the figure closer to 30 billion. Cybersecurity experts warn that too many manufacturers treat security as an afterthought when producing internet-enabled devices.

Chris Boyd, an analyst at the security firm Malwarebytes, told Newsweek in an interview earlier this year: "The problem here is that many IoT devices are horribly broken security-wise because it costs money to ensure a reasonable standard of protection on a product."

The severity of the issue has led other experts to warn that October's attacks may be a precursor to a "cyber atomic bomb." Speaking to Newsweek after the disruption cybersecurity veteran John McAfee said he expected much larger attacks in the near future.

"Clearly there are weaknesses," McAfee said. "Anticipate that these will be exploited in a big way."