(this article previously appeared on Knack-Datanews)
October 21, the world is confronted with an unprecedented DDoS attack, mostly caused by insecured Internet of Things devices. IoT manufacturers were put under scrutiny, and we were all given a sneak peek of the consequences when we don’t include including Security by Design. Where do we go from here?
The facts: on October 21 a Distributed Denial of Service (DDoS) attack on the DNS provider Dyn caused disturbances on the internet. Dyn is the equivalent of the internet Yellow Pages; they direct you to the right IP address when you type in the URL of a website. DDoS’ing them is therefore a simple, but effective way of making a large quantity of websites inaccessible. No Netflix and Chill, no Reddit, no Twitter. In short, people had to go outside and be productive.
DDoS attacks are as old as the internet itself. When a server is flooded with requests, it cannot reply to other legitimate requests. This happens sometimes when a site becomes unexpectedly popular and has a surge of visitors, but a malicious DDoS attack usually uses infected computers to spike the visitor requests.
A lot of organisations have tried to instill measures to mitigate DDoS attacks, yet this incident was remarkable because of its size. Dyn reported that more than 10 million IP addresses were involved, the equivalent of 1,5 Terrabye per second.
It was discovered that this was mostly possible because of the festering supply of vulnerable internet of things appliances.
Internet of shit
The security community has been cursing for a while now about the Internet of Things, often scorned as the #InternetOfShit. These are all the appliances and gadgets that can (often needlessly) connect to the internet, like your tv, security camera, fridge, but also your car, your toaster, your lightbulbs, your doorlock, and even your bottle of wine. It is estimated that in 2016 about 6 billion appliances are connected to the internet. A dizzying number.
When more appliances are connected to the internet, there are more vectors to infect, which contribute to computing power for attacks.
This was also known by the creators of the Mirai virus, which purposefully infected IoT devices. Millions of infected IoT appliances were thus added to a botnet, creating a monster army of zombies that were used for DDoS attacks, unbeknownst to their owners.
A logical step if we want to prevent such attacks in the future, is cleaning up those devices. A lot of users know by now that they need to install antivirus software on their computers, but are not aware that their television or security camera can also be infected and participate in attacks. There is very little motivation for users to do something about this, since the impact of the infection is nearly unnoticeable in daily use.
Every country thus has the responsibility to notify users that show up in the IP logs of recurring DDoS attacks. They can inform the general public, generate awareness, and use certain incentives to secure IoT devices. This way, the zombies can be deactivated and botness can lose their strength.
An IoT that deserves our trust
Unfortunately users cannot do much themselves if they are not even capable of securing their devices. It appeared that Xiongmai, a Chinese producer whose devices was omnipresent in the attack on Dyn, had set default passwords on its devices, that couldn’t even be modified.
This was apparently the case with all devices sold before 2015. This kind of vulnerability is sadly recurrent in many devices. If the password cannot be modified, it most definitely can be controlled by someone else.
Producers are still free to choose how much security they want to install. There is no international security norm for connected devices. Since a cyber-secure connected toaster isn’t exactly a big selling point, this step is often skipped to cut costs.
It is therefore important to call IoT producers to account, force them to have minimum security standards, and penalise those that don’t.
Organisation like the Internet of Things Security Foundation, and volunteers of the security collective I Am The Cavalry are taking matters into their own hands by setting up security frameworks. The latter even managed to make the producers of medical devices swear a hippocratic oath to no longer sell devices that do not have built in security.
The EU is also developing a proposition to force companies to abide to certain security standards, and to find a labelling system for secure IoT devices.
While its certainly useful to secure European production, it lacks some impact in a globalised world. If producers are prohibited to use cheap Chinese components when they don’t abide to those standards, it will be hard to stay competitive. If there’s little knowledge of the issue, few consumers will pay more for a “secured” IoT device.
We need international rules, although it’s not bad to start with a European label.
Too little, too late
When IoT devices didn’t have proper built-in security settings, it’s difficult to secure them afterwards. It’s commendable (and necessary!) that we try to force security by design right now, but it’s actually too late already.
The IoT craze has started a while ago already, and many appliances were sold that can’t install patches remotely. Often users must make a manual firmware update, or even hand in their appliance. Since the lifespan of many of those devices, which are often household appliances, are often only replaced after 5 to 10 years but its users, it’s quite possible we’ll still be living for a while with the consequences of the IoT zombie army.
it’s very pessimistic to say, but this is only the beginning.