Last updated: 01 November 2016
I’m sure more than a few of you were affected by last week’s Internet disruption. Netflix, Twitter and CNN were just a few of our favorite sites crippled by a DDoS (Distributed Denial of Service) attack. In a situation reminiscent of the 80s Stephen King movie Maximum Overdrive, the machines attacked and wreaked havoc on our online lives. It was only a matter of time before there was a widespread attack on IoT (Internet of Things) devices. First, many of these devices lack strong security, having hardcoded or default user names and passwords, making them ripe for the picking. Second, because of the sheer volume of internet-connected things, IoT-targeted attacks have the potential to be massive and widespread.
No surprise that Friday morning’s DDoS attack, was the largest of its kind in history, involving more than 100,000 malicious endpoints and striking with beastlike strength at 1.2 terabytes per second. DDoS attacks are not new—think back to a spoiled 2015 Christmas for Xbox Live and PSN players—what makes this attack unique was its use of “things” to wage the war. The malware associated with this attack, the Mirai botnet, set its sights on IoT devices such as routers, DVRs, and digital cameras—many things we have in our homes and offices. The Mirai botnet scanned the Internet for IoT devices with weak security standards (speaking again of those hard-coded or default user names and passwords). Exploiting these, the botnet infected the devices and directed them to a control system, where they prepared to do battle and hammer websites with traffic to try to take them offline.
The direct target of the Mirai attack was DNS (Domain Name System) service provider Dyn. Dyn controls the majority of the Internet’s DNS infrastructure and provides services to some of the most visited websites. So when Dyn was hit, the damage trickled down to its millions of customers, including Amazon, Spotify and Reddit. But Forrester has a slightly different take on the situation. The research giant blames “poor planning” on the part the brand giants themselves, saying businesses are careless to depend on a sole DNS provider. But is it feasible to have more than one DNS provider? Many businesses will say no because of cost or complexity to the IT infrastructure.
Experts also point a finger at the manufacturer of the devices themselves. Compromised digital video recorders (DVRs) and IP cameras made by Chinese manufacturer XiongMai (XM), are targeted as the primary culprits. XM white labels these components that are sold down the line to many different vendors who use them in their own products. Again we go back to the password issue. Shockingly, passwords are hardcoded into the firmware of these XM products and users are unable to change them. XM issued a statement on social media Monday after the attack, saying it would be issuing a recall on millions of devices, mainly its network cameras.
Now that the gate has been opened for large-scale attacks on things, we need to focus our attention on how to secure the quickly expanding world of IoT. Vendors of these devices need to, at the very least, ensure they are protected with dynamic passwords. But to really ensure something like the Mirai botnet isn’t able to infect these things, manufacturers must secure the communication between the devices. Between one device to another and to the master device. So how do we ensure communication is secure and will not be intercepted or altered? Basically there are four critical points to consider. This was covered in a previous blog, 4 Fundamentals to Ensure IoT Security. You can also read much more about IoT security in our ebook, A Safer Internet of Things.
Four fundamentals to ensure IoT security
1. Authentication/identification: Each device needs to reliably identify itself and prove that it can securely communicate with other devices in the system. This can be achieved using a combination of digital certificates and hardware-based anchor of trust. Strong user authentication should also be implemented to control user access.
2. Confidentiality: Encrypt all data, in physical networks, virtualized environments, the cloud, or in motion, to protect it from unwanted disclosure. Data encryption obscures vital information, making it useless even if it is compromised. Only authorized recipients will be able to decrypt the content.
3. Integrity: It is important to protect data from unauthorized modification such as malicious code injections. Code signed with digital certificates can be used to verify the integrity of the data and make sure that the content has not been tampered with or altered during transmission.
4. Non-repudiation: This serves as irrefutable proof of the validity and origin of all data transmitted. Digitally signed documents and transactions using hardware security device can provide strong non-repudiation for the date and origin of transaction.
So that is the story of When Things Attack: The Mirai DDoS Attack and the Weakness of IoT Security. It’s a scary tale, just in time for Halloween. Forrester said this of the Mirai attack “It’s a shocking demonstration of the fragility of — and our dependence on — a completely connected world.”
Check out Gemalto’s expansive portfolio of certificate-based authentication smart card solutions and Hardware Security Modules that can ensure the safe communication between the things and help prevent a Stephen King book from coming to life.