Friday's DDoS attacks that created major website outages across the Internet may prove to be a watershed moment for the Internet of Things industry, after years of warnings – mostly ignored – about the glaring vulnerabilities in IoT devices.
The series of attacks recruited millions of IP addresses – many associated with IoT devices – to flood Domain Name System (DNS) service provider Dyn with scores of fake traffic, in turn shutting down the websites of Twitter, Spotify, Netflix, GitHub, Amazon, Reddit and other Dyn clients.
“By taking down a domain server, [the attack] took down everyone's ability to be productive online, which equates to dollars,” said Jim Hunter, co-chair of the IoT Consortium's Privacy & Security Committee, and chief scientist & technology evangelist at IoT software company Greenwave Systems. “This is the first time everyone's really seeing a significant impact” from an IoT-launched attack, Hunter continued.
Much of the malicious traffic came from IoT devices compromised with Mirai IoT botnet malware, whose source code was recently released after it was used against security researcher Brian Krebs in September. The malware allows attackers to take over vulnerable devices such as Internet-connected cameras, routers and DVRs, and utilize them for DDoS assaults. Some experts believe this brazen attack could serve as an impetus for change, prompting IoT manufacturers and maybe even device users to be more proactive with security.
The flaw in most IoT devices is a simple, yet pervasive one – they are often set with default passwords, which their owners never bother to reset. Bots can then scan for vulnerable IoT devices on the open Internet and attempt to take them over using these common passwords.
“Mirai must become the wake-up call for the hardware industry, the way that the Code Red and Nimda worms were for the software industry 15 years ago,” said Michael Sutton, CISO at cloud security company Zscaler, in comments emailed to SCMagazine.com. “Hardware vendors simply haven't been forced to climb the security learning curve the way that software vendors were forced to. That's about to change.”
“IoT devices in general are the perfect platform for attackers to issue DDoS attacks,” said Mordechai Guri, Chief Science Officer of cybersecurity startup Morphisec, in emailed comments. “First, they are have full Internet connectivity – most of the time they remain idle, hence can be easily abused for DDoS purposes. Secondly, IoT devices, due to their diversity and complexity, have almost no in-device security products installed... Thirdly, they are prevalent, so botnets on IoT devices in the future may consist of many millions of bots. Finally, such an attack is difficult to mitigate, as most IoT devices are embedded systems.”
For its part, Chinese electronics firm Hangzhou Xiongmai accepted responsibility for playing an unintentional role in the incident, issuing a statement that it would recall its home webcams that were sold in the U.S. after these products were leveraged in the attack.
“Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too,” the company statement said, as reported by BBC News. Though it denied that its webcams comprised the majority of the botnet, the company reportedly said it would improve how its products manage passwords and would also send customers a software patch to harden current devices against similar attacks.
“It is fantastic to see a vendor owning up to their responsibility in this event,” said Craig Young, cybersecurity researcher for security solution provider Tripwire, in emailed comments. “It is very rare to hear of a vendor doing something like this and I hope that it will be the first of many vendors to react strongly to Friday's attacks.”
Nevertheless, the onus to prevent such devastating DDoS attack is not solely on IoT manufacturers. Dave Larson, CTO and COO at DDoS prevention and mitigation firm Corero Network Security, told SCMagazine.com in an interview that a “community effort” is required to quash the DDoS plague.
For instance, DNS providers such as Dyn must continue to scale their capabilities and bandwidth in order to minimize the impact of such attacks. Moreover, ISPs must leverage their ability to detect spoofed IP addresses and block such malicious traffic at ingress. By doing so, DDoS attacks would “at least go down by an order of magnitude,” said Larson.
Users, too, must be vigilant about changing their devices default passwords. “You can't just put something on the Internet and hope. You have a responsibility,” added Larson, noting that Corero tomorrow will announce a newly discovered zero-day DDoS attack vector.
As the various players in the IoT space grapple with their next move, concern mounts that another DDoS attack could take place at any time.
"There's been a lot of hypotheses around why this attack is taking place now, and the question is: Is Fridays attack a precursor to something larger?,” said Neil Daswani, CISO at ID protection firm LifeLock, speaking to SCMagazine.com today at a joint conference hosted by the National Cybersecurity Alliance and Nasdaq.
Indeed, looking beyond DDoS, there are a host of frightening ways that Mirai could be leveraged to turn seemingly innocent IoT devices into a juggernaut of malicious machines. "Think about taking an entire army of bots and turning them into encryption mechanisms so they can crack codes," said Hunter. Or, you can "turn bots into an army of devices that specifically filter, save and steal code and secrets."