The Internet of Things has been a hot topic for a while now, and not always for the right reasons. People say there’s no such thing as bad publicity, but this isn’t one of those occasions. Right from the coining of the term “The Internet of Things” back in 1999, people have always been skeptical about security issues, and the Dyn outage of 2016 showed them that their fears weren’t misplaced. The attack took place early on October 21, and though DDoS attacks are quite common and Dyn executives are used to dealing with them, within a short span of time it became clear that this attack was different. The attacks came in three waves and caused a lot chaos with top websites including Tumblr, Twitter, Verizon, Amazon, and Reddit losing service. What was different about this attack was that it took advantage of the huge gaps in IoT security and basically turned the machines against us.
DDoS attacks and how they work
Like most cyberattacks, there isn’t really any hard evidence lying around that can be traced back to the attackers, but here’s the breakdown of what we do know. The attack essentially exploited the use of inexpensive and mass-produced microchips in IoT devices that lacked basic security measures. These devices used factory default usernames and passwords. This not only put all DNS providers on notice but their customers as well.
In a distributed denial of service (DDoS) attack, multiple compromised IoT systems are infected with malicious code and used to target a single system, in this case Dyn’s DNS service. The malicious code in this attack was the Mirai botnet, which was responsible for the majority of the traffic that disrupted services at Dyn. Named after the Japanese word for “future,” this piece of malicious code causes all infected devices to continuously scan the Internet for vulnerable IoT devices and is armed with 60 common factory default usernames and passwords. All infected devices become part of a botnet that is then used for large-scale attacks like the one on Dyn. Apart from the Dyn attack, Mirai was also used on the attacks against security journalist Brian Kreb, French webhost OVH, Deutsche Telekom, and Liberia’s Internet infrastructure.
Clear and present danger
Since there are still hundreds of thousands of IoT devices that use default settings, the threat is very real and we could definitely see more attacks of this nature in the near future. Added to the fact that whoever wrote Mirai has been so kind as to post it on hacker forums as “open source,” a lot of its code is being adapted to other malware projects as we speak.
The threat is so real and imminent that a lot of manufacturers are not only recalling their hardware but now turning to chips that have more processing power so that better security measures can be implemented. The main issue is that targeted devices like digital video recorders and home routers are small and require limited processing power. While these devices are able to do the jobs they were originally designed for, when it comes to secure encryption over the Internet, they just don’t cut it anymore.
Considering that the IoT will have over 26 billion installed devices by 2020, this is more than just a big problem. A breach in security could mean someone could turn on appliances in your house, follow you home through a fitness monitor strapped to your hand, or just simply be a nuisance to society.
When John Romkey created the first “Internet Device” in 1990 by hooking up his toaster to the Internet, he probably didn’t think that one day the president of the United States would be talking about IoT security as one of his top priorities. A 90 page report commissioned by former president Barack Obama as a first and foremost recommendation for the new president Donald Trump clearly states the need for improving the security networks and achieving robustness against DDoS attacks in particular. The report includes 16 recommendations and 63 associated action items.
Building security from the ground up
At the heart of the matter, however, is the fact that most systems will need to be replaced altogether. Like cars, you can’t take an old jalopy and put in airbags and ABS, and the same goes for the IoT. Security is something that needs to be planned from the start and the whole design has to change from being functionality-based to security-based. The cost of recalling devices and fixing bugs actually far outweighs the cost of building secure devices in the first place, not to mention the losses caused by successful attacks like the one on Dyn. Why replacement is the only option in some cases is because using encryption is possible on big X86 chips, but a lot of IoT processors like the ones on targeted devices have a fraction of the processing power necessary to be secure.
Smart homes are all the rage at the moment with people being able to control everything from the water heater to the oven via their smart phones. What people don’t realize is that most smart home products at the moment are fixed-function devices, which means that they cannot be upgraded for added security once they are shipped. So if hackers find a hole in their security software, homeowners essentially have two choices: throw the device away or be hacked!
Education and awareness
As awareness increases about the reality of the problem, manufacturers who think security from the get-go are going to be preferred over the ones that end up patching vulnerabilities on the fly. The best way to ensure security at the software level is to have automatic updates. Even the best antispyware or antimalware software would be rendered useless without automatic updates, and the IoT is no different. Manufacturers need to plan for this and realize that the investment is worth it when compared to the disasters that could follow if they leave this feature out.
Apart from automatic updates, the design of IoT systems needs to be security focused by nature, and a number of fail safes need to be built into the system from scratch. Just like fuses are used in electric circuits so that one faulty device doesn’t bring down an entire grid, fault-tolerant systems need to be designed that throttle sudden spikes in requests so that even when systems do get compromised they do not affect the entire DNS system and bring it down with a billion malicious requests. In some cases devices are actually built with encryption enabled, but many non-savvy customers don’t know that their devices are using factory default credentials. For example, there’s no shortage of people who surf the Internet with a router that has the username “admin” and the password “password.” In such cases, educating customers about using unique credentials and securing their WiFi is important, not just for them but for the entire network.
This is one of those problems that are almost invisible until it’s too late, quite like global warming. No one really cares about the polar ice caps melting till the weather gets freaky in their own backyard. With the number of IoT devices expected to outnumber human beings by almost 4:1 in the next few years, manufacturers have their work cut out for them in terms of getting their act together. And they’d better do it ASAP.
Photo credit: Wikimedia