A few weeks ago, security researcher Brian Krebs, author of the blog Krebs on Security, was driven offline by mammoth DDoS attacks driven by IoT devices. The attack now seems to have been a warm-up for last Friday’s wide-scale internet outage, and security researchers suspect that Internet of Things products were once again to blame. If you’ve paid attention to anything happening (or not happening) in Internet of Things security, this is scarcely a surprise. The general state of IoT security is terrible at best, nonexistent at worse.
The problem is simple: A DDoS attack uses hundreds or thousands of computers to hammer a single site with requests for service. The effect isn’t unlike what happens at your local McDonald’s when two buses worth of people show up at the same time. Even with every counter open, there’s a limit to how many orders can be taken simultaneously, and the crowd will quickly wipe out whatever pre-made food was already on hand. With the drive-through also open and putting additional pressure on the staff, customer service inevitably slows down.
DDoS attacks exploit similar principles, except they can sometimes drive websites completely offline by hammering them hard enough. The prevalence of IoT devices — currently estimated at 10 billion by Business Insider — is more than enough hardware to hammer the Internet, and targeting DNS providers can gum up huge chunks of the ‘Net. The image below shows the areas that were impacted by the DNS attacks last week, and it covers most of the major metropolitan areas on the east and west coasts.
According to Krebs, the incident was driven using Mirai, the same malware strain that attacked him in September. The hacker that wrote Mirai released the code last month, and evidence from security research firm Flashpoint suggests it piggybacked on IoT devices, mainly compromised DVRs and webcams made by Chinese manufacturer Hangzhou XiongMai Technology. Hangzhou XiongMai builds components and sells them to third parties that package them into their own products (the company has recalled a number of its webcams already, which lends credence to the idea that its hardware helped create the botnet.) Krebs interviewed researchers at Flashpoint, which gave more details on the exploits in use.
The reason IoT products are being leveraged for these kinds of attacks is because many of them have hardcoded backdoor passwords, don’t allow the user to change the default password, and can be accessed using commands like Telnet and SSH. “The issue with these particular devices is that a user cannot feasibly change this password,” Flashpoint’s Zach Wikholm told KrebsOnSecurity. “The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist.”
Flashpoint scanned for devices vulnerable to Mirai on October 6 and found more than 515,000 devices running on vulnerable hardware — and by “vulnerable,” we mean “vulnerable to this one type of exploit.” The total number of devices vulnerable to any exploit is estimated to be in the millions.
On the other hand, however, the OS and application markets for the PC were controlled by a relatively small number of companies. Nearly all of the smartphones, tablets, laptops, desktops, and servers in the world today run operating systems built by Apple, Canonical, Debian, Google, IBM, Microsoft, Red Hat, or SUSE. There are hundreds, if not thousands of companies selling or developing IoT devices worldwide, and there’s no way for Google or Microsoft to build an OS so perfect that it can’t be misconfigured or deliberately designed to provide a back door. Heck, Microsoft has worked for a decade to secure Windows, and we’ve still seen major OEMs ship Windows configurations that were egregiously compromised by poor configuration decisions.
If it’s difficult to convince major manufacturers to secure $400 to $1,000 laptops, how much harder will it be to convince a Chinese manufacturer to care about the security of a $40 (or even a $4) part? Better security is absolutely required, but convincing companies to bake it in properly is going to be extremely difficult.