On Friday October 21 a massive Distributed Denial of Service (DDoS) made over 1,000 websites unreachable, including, Twitter, Netflix and PayPal. Two cloud providers, Amazon Web Services and Heroku reportedly also experienced periods of unavailability.
The attack was directed against a key part of the internet’s infrastructure, a domain name system provider, Dynamic Network Services aka Dyn. When a person enters a web address into a browser, such as google.com, the browser in turn needs an IP address (a string of numbers and periods) to actually connect with that web address. Domain name system providers are a critical source of IP addresses.
On Friday Dyn was the target of perhaps the largest ever DDoS, when its site was overcome by tens of million of requests for IP addresses. Because Dyn could not provide the correct IP addresses for Twitter and the other affected sites, those sites became unreachable for much of the day.
It also appears that the DDoS was mounted using a widely available malware program called Mirai. Mirai searches the web for IoT connected devices (such as digital video recorders and IP cameras) whose admin systems which can be captured using simple default user names and passwords, such as ADMIN and 12345. Mirai can then mobilize those devices into a botnet which executes a directed DDoS attack.
There are a number of potentially serious implications for insurers:
- An insurer with a Connected Home or Connected Business IoT initiative that provides discounts for web-connected security systems, moisture detectors, smart locks, etc. may be subsidizing the purchase of devices which could be enlisted in a botnet attack on a variety of targets. This could expose both the policyholder and the insurer providing the discounts to a variety of potential losses.
- If the same type of safety and security devices are disabled by malware, homeowners and property insurers may have increased and unanticipated losses.
- As insurers continue to migrate their front-end and back-office systems to the cloud, the availability of those systems to customers, producers, and internal staff may drop below acceptable levels for certain periods of time.
The Internet of Things will change insurance and society in many positive ways. But the means used to mount the October 21 attack highlights vulnerabilities that insurers must recognize as they build their IoT plans and initiatives.