Wow, that headline sounds dramatic. Will we really need to battle our own connected kitchen appliances, smartwatches and printers at some point? To answer this questions let’s assess some recent events.
Taking Out Some Of The Most Frequently Visited Internet Services With One Attack
Just a few weeks back a Distributed Denial of Service (DDoS) attack on Domain Name System (DNS) service provider DynDNS caused a major outage of a number of well-known internet pages and brands (e.g. Amazon, PayPal, Spotify, Soundcloud, Twitter).
For those not familiar with the term “DDoS attack”: this describes a malicious attempt that prevents users from accessing a service (e.g. access to an internet site) by overwhelming the targeted computer system with a flood of traffic.
DNS providers like Dyn usually work like the “telephone book” of the web as they resolve web addresses (e.g. ebv.com) into IP addresses which are necessary to connect to the right servers in order to get the requested content.
Like other managed DNS providers Dyn further prevents DDoS attacks against their customers’ services by redirecting users to a site using load balancing features (usually used to route user queries to the most efficient endpoint).
By now you probably see where this is going: if DynDNS is making Netflix, PayPal, Twitter etc. highly available through load balancing why not attacking DynDNS itself to shut them down? As we know now it happened and it was very effective as attacking a DNS server instead of individual sites makes it possible to take out the entire internet for any user whose DNS request route through that server.
Countless Vulnerable IoT Devices Are Like An Army Of Minions That Can Easily Be Pulled To “The Dark Site”
An outage of platforms like PayPal and Amazon causes huge financial losses and preventing users from accessing Twitter is a major attack on one of the largest social news distribution networks of our time. Even though the attacks have been resolved within a few hours this is very concerning.
The second reason why this attack should not be treated as a simple DDoS attack but turn our heads is that it used millions of different IP addresses through infecting and taking advantage of poorly secured IoT devices. Those unintentional “DDoS attack soldiers” included common things like printers, webcams and other everyday devices.
This is feasible as all of those connected objects feature an MCU and basic connectivity capabilities suffice to perform simple operations (e.g. sending a service request).
There are millions of IoT devices vulnerable to such manipulations. The source code called Mirai (recently published on Hackforums) which was used in the most recent events continuously scans the internet for systems which are protected by factory default or hard-coded usernames and passwords.
Vulnerable devices are seeded with the malicious code and thus turned into bots that report to a central control server. Through this control server the powerful DDoS attacks can be launched.
How To Protect Our Devices?
According to KrebsOnSecurity Mirai is not the only malware that is currently “recruiting” vulnerable IoT devices to assemble a DDoS army.
This brings us back to the first question of this blog: Do we have to fight our devices? No, actually we need to protect them – both as a user and as a manufacturer.
As user there are two things that you can do: Make sure that you take advantage of all security features built into your devices; most importantly change all default passwords to unique and strong new ones.
Regarding infected devices it gets a little more complicated – rebooting them would delete the malicious code but without changing the password they could be re-infected within minutes.
It might also be good to deactivate remote access for devices where you don’t use this feature.
For device manufacturers it will be important to create new strategies in order to fight sophisticated hacking attacks and to protect their devices. This will be vitally important since there are thousands of connected objects added to the internet every day. Some easy-to-implement precautions include to stop using hardwired passwords and not setting default passwords. In addition it could make sense to prohibit unauthenticated or unencrypted protocols for inbound connections (e.g. use HTTPS instead of HTTP).
However there are still some very basic problems within IoT security which require more sophisticated solutions than the measures above. Many resellers of connected equipment like CCTV cams buy their products from white label producers and only rebrand and customize them before they are sold to end-customers. This creates a big problem as neither the white label company nor the reseller feel responsible to implement expensive security features.
Even if the original hardware manufacturer would build-in custom passwords they would need to be distributed with the product e.g. in printed version. This is logistically nearly impossible.
Furthermore manufacturers will need to update their devices on a regular basis in order to ensure security in the future. This is tied to high costs and for older products and models this is hardly possible.
In order to force manufacturers and resellers to implement the necessary security features we will need standards and regulations that are enforced by governments and consumer protection commissions.
For support with security strategies and efficient implementation of safety features into your designs feel free to get in touch with our EBV experts here.