Berkeley boffins reckon the Dyn-based Internet of Things attack that took down Brian Krebs' Website in 2016 cost device owners over $US320,000.
Since the 2016 hit on KrebsOnSecurity involved devices in their tens of thousands, the costs to individuals (in power consumption and bandwidth charges) only ends up a handful of dollars per hacked device.
The entire thing-owner cost the Berkeley researchers estimated was US$323,973.75.
That's a problem for the world of IoT: launching an attack like Dyn is cheap for the attacker once they've found a big enough population of devices with easy credentials and processing power, and the cost to the thing-owner is small enough to pass unnoticed.
Security man Krebs' website DDoS was powered by hacked Internet of Things botnetREAD MORE
The research, carried out by the university's Kim Fong, Kurt Hepler, Rohit Raghavan and Peter Rowland and named Project rIoT, is an attempt to apply the well-known principles of attack cost calculations to consumers instead of business.
To come up with their cost estimates, the researchers infected devices with Mirai and observed their activity. In the lab, the group found that Mirai-infected devices show only small increases in electricity consumption – by far the greater cost to consumers is in the bandwidth stolen by the infected Things.
Of various devices purchased for the study, only two – a Samsung Smartcam SNH-1011N, and Dreambox DM500-C digital video recorder – still permitted the testers to install Mirai, because their firmware still supported Telnet access (they note that a bit of hacking was necessary to turn on Telnet in the Samsung unit – “we were able to exploit command injection vulnerabilities in its web interface to enable telnet”, the report said.
The Dreambox DVR's power consumption was less than one per cent higher in “Mirai mode”, but the Samsung Smartcam had to work much harder, using upwards of 13 per cent more electricity when infected and connected over Ethernet.
Bandwidth was also pretty trivial on a per-device level: 3 MB over 30 minutes for the Dreambox DVR, more than 6 MB over 30 minutes for the Samsung Smartcam using Ethernet (just under 1 MB when it was connected over WiFi).
However, aggregated over a large botnet, the cost to consumers would have been considerable.
They then applied the lab cost model to the KrebsOnSecuity case study, to reach their estimate of $323,974 in aggregate and around $13.50 per device.
There's one more outcome of the research: the authors have published their resource monitoring tools at GitHub. ®