On Friday October 21, 2016, internet infrastructure provider Dyn was the victim of a distributed denial of service attack (DDoS). Data shows that an army of compromised connected devices were mobilized to execute the attack, leveraging recently published source code for the Mirai strain of malware. This attack took major, widely used services offline, including Netflix, Spotify, Twitter, Amazon and more.
A DDoS attack floods a service with traffic in a way that makes it unusable for legitimate users, as the service is overwhelmed by the malicious traffic and can’t process the legitimate traffic. Imagine you want to walk into the front door of your office building, but at the same moment, 1,000,000 people are trying to get into the door in front of you. Same idea, your access is effectively denied. A botnet is a network of compromised computers mobilized to perform attacks that require a volume of computational power. The current state of security in the internet of things makes this vastly expanding collection of devices the perfect candidate for DDoS attacks.
For years, security experts have been highlighting security flaws and organizing hacking contests in the pursuit of clamoring for improvements in connected devices. But until the Dyn attack, there were not many real-world victims to point to as an example of problem scope. And then came the Dyn attack.
Now, as companies, users, law enforcement and the security community react to the aftermath, there are many questions floating around about what this means. I’ve been pretty much glued to the phone over the past week, helping reporters and others make sense of all of this. Here is an aggregation of the various questions I’ve been receiving, and a summary of my analysis on the issue.
1) Do you expect IoT botnets to get worse before they get better? Why or why not?
Yes. I anticipate IoT botnets will get worse before they get better. IoT adoption is expanding rapidly, while security concerns are largely either not a priority or not understood by manufacturers in IoT. This will lead to an increasingly expanded pool of connected devices that could readily be leveraged in attacks that are not only similar, but are likely even larger.
2) How will the attack on Dyn impact the state of IoT security and the conversation surrounding it?
This incident is already having a positive impact on the conversations around IoT security. Security professionals like us have for years been articulating the dangers of deploying such connected solutions without adequate security considerations. Those warnings have largely gone unheeded. However, the DDoS attack against Dyn has certainly captured the mainstream attention, and that is fostering some very positive and productive conversations about what to do about it. It’s still early, so only time will tell if these conversations have a lasting impact.
3) Will manufactures start paying more heed to security in their devices?
I hope so! Time will tell. The only difference between today and the days before the DDoS against Dyn is that now there is a clear and harrowing example to point to; but the root concerns that security professionals have been advocating for a long time remain unchanged for the moment.
4) Do you think we’ll see the U.S. government accelerate development of baseline requirements, standards or regulation for connected devices?
I am generally not a proponent of regulation, especially regulation intended to be a security measure. As we’ve seen on numerous occasions in the past, such regulation almost always misses the mark, is too riddled with compromise, and takes so long to develop and implement that adversaries have evolved well beyond it. A perfect example is HIPAA and HITECH, which have become the de facto security standards in the healthcare industry. However, those frameworks really only address issues surrounding patient data, yet do little to address patient safety. We recently published research that analyzed this very problem.
My hope is that this incident will inspire manufacturers of connected devices to self-regulate and better consider security in their development processes. I also hope this will raise awareness for both businesses and consumers who purchase connected devices, so that they can vocalize demands for better security in connected devices. Fundamentally, until the market demands it, manufacturers will not change. Why would they?
5) Who is hacking IoT?
That remains to be seen, in this particular case. I have a theory that the real purpose of the Dyn attack is not what we see on surface level. For instance, denying users access to Netflix, Spotify, etc. is of course annoying, but hidden somewhere in the haystack of disruption may be the single use case that the attackers wanted to both target and then obfuscate. Taken in conjunction with other attack elements, the temporary takedown of the internet would be an excellent cover for a much larger, more devastating attack scenario, one that could either play out soon or not for a very long time.
That theory aside, here are the broad steaks of different adversaries and why they would attack:
- Casual hacker. These are explorers, usually motivated to achieve notoriety. If this type of adversary is responsible, the motivation would be as simple as proving that they could do it.
- This adversary attacks in order to make a political statement. Taking certain high-use services offline for a period of time would be an excellent way to draw attention to whatever cause this adversary might be interested in advocating about.
- Corporate espionage. These are companies who attack each other to obtain competitive intelligence or advantage. This could be competitors to Dyn, competitors to the high-use services affected by the incident, or the competitor of anyone who might potentially be perceived poorly as a result of this event.
- This groups seeks to elicit fear. My instincts suggest that it’s probably a stretch for this group to be behind the Dyn attack, unless this is just the first in a multistage attack that would later compromise something with life-and-death implications. As per my theory above, it’s not unreasonable that this incident was an attempt to cover the tracks of a larger scheme
- Organized crime. This group seeks to obtain profit. There are many ways organized crime could have profited off of this event, including by playing the market, e.g., by taking market positions that benefit from the chaos that ensues due to internet outages.
- Nation States. This group seeks to obtain geopolitical advantage, perform cyberwarfare and pursue intelligence gathering activities. If it was this group, it’s likely they were testing system weaknesses, evaluating response timelines and processes, all in the interest of gathering intelligence for another future attack.
6) Should we be considering product recalls of vulnerable devices?
Unfortunately, I don’t think product recall is very realistic. Such actions are expensive, brand-damaging and resisted by the afflicted manufacturers. Most notably, recalls are typically enforced by a government entity requiring the manufacturers to do so, in consideration of a published standard that has not been met. Neither of those conditions exist in the case of IoT devices, so short of a voluntarily recall by the manufacturers, it’s unfortunately not a realistic outcome.
However, what is a more realistic outcome is to expect manufacturers moving forward to better build security into their solutions. As widespread as IoT is today, it is nevertheless still in the infancy of adoption. Without more proactive efforts to consider security, things are going to get much, much worse. But if those proactive steps can be taken, new solutions hitting the market will be less susceptible and, over time, the woefully insecure solutions that dominate the market today will eventually be phased out through user upgrades.
7) How are these devices being weaponized?
One of the issues we’ve spent years advocating about is that these devices are being deployed with fundamental, design-level security flaws. Some of the examples we’ve seen come out of IoT Village include things like runs as root, built-in backdoors, lack of encryption, weak key exchange, hardcoded passwords and more. The issue of hardcoded passwords is precisely what Mirai took advantage of, scanning for devices that had default credentials, especially ones that could not be changed. When such basic design flaws exist, a system will never be able to be secured after the fact.
8) To what degree does this recent attack allow companies to defend themselves against future such attacks?
It doesn’t. At least not directly; this incident has raised awareness, not only for infrastructure providers similar to Dyn, but also more broadly for users and manufacturers of connected devices — however, that doesn’t inherently make them ready to defend. All that said, there is a silver lining benefit here: the DDoS attack against Dyn has grabbed the attention of the mainstream, and this is fostering some very positive conversations about how to better consider modern adversaries. If those promising conversations continue — and companies choose to invest appropriate financial and manpower resources towards addressing the challenges — then those companies will soon be better equipped to defend against such attacks. But that is a future state as a result of this attack, not a current state.
9) How likely is another such attack?
Highly probable, bordering on guaranteed. This attack demonstrated a few things:
- It works
- It’s relatively easy
- It’s hard to get caught
- It gets the attention of consumers and businesses alike
- There is not a viable defense against it for the foreseeable future
- IoT adoption is rapidly increasing, while security considerations in connected devices remain largely absent. Thus, the attack surface and pool of viable candidates for an even bigger botnet will only increase.
So given all of these, I can’t envision a reason why it wouldn’t happen again, until such a time when the state of security in IoT improves.
10) Could similar such attacks be carried out in a way that would have broader or more powerful effects on the internet?
Yes. A precarious evolution in this attack would be one that dovetails multiple attack stages in a way to cause chaos and harm on a large scale. For instance, imagine disabling certain public safety functions — such as the 911 emergency response platform — in conjunction with another attack that required the response of police and fire departments. There are many scenarios that such a combination would have a very dire outcome.
11) What is the solution to this cybersecurity problem?
Like so many aspects of the current defense landscape, there is not a simple solution, but rather a combination of elements, including:
- Build security in. Security needs to be integral to system design, not an element added at the end of the development process. This is the primary reason why connected devices today fail.
- Security is a community problem. Manufacturers, users, security researchers, regulators, executives/leaders of industry and many other parties must all play important roles in driving progress. No single entity owns the entire security problem and thus no single entity can deliver the entire solution. This is why we run events like IoT Village and SOHOpelessly Broken, to galvanize the community towards a solution.
- Assessment matters. Make no doubt about this one thing: whether or not companies proactively try to find their flaws, the adversaries will investigate to find them. So it is imperative for companies to proactively assess their solutions and network infrastructures for security flaws. Most connected devices have not gone through any sort of security assessment, let alone a rigorous one.
- Methodology matters. Assuming companies can agree with the previous point, it is just as important that they consider how they approach security. Penetration testing has become a beloved approach to try and find flaws; however, this approach is typically largely automated and entails little or no knowledge about how the system functions; this results in low-value findings. Companies should instead be understanding how adversaries think and operate, and considering much more rigorous, manual security assessment accordingly.
- Adhere to principles of secure design. These are universally understood paradigms upon which to build systems resilient against attack. Many companies fail to even think about these principles, let alone implement them properly. If companies can better consider these principles, the likelihood of compromise will reduce significantly.
The attack against Dyn is extremely problematic and should be condemned. However, if we as a community can take use this as the call to arms, to start mobilizing on some of these solutions, then the future can be bright indeed. At ISE we are organizing a handful of upcoming events on this very topic including IoT Sandbox, IoT Village and SOHOpelessly Broken. These events run at upcoming conferences such as RSA Conference, DEF CON, ToorCon, DerbyCon, BSides DC, BSidesBaltimore and more coming soon. If you want to participate as a researcher, attendee, sponsor, volunteer, or help out in any other way, please contact us today! This is a community problem, which requires a community solution.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.