Last week’s massive distributed denial-of-service (DDoS) attack on the DNS provider Dyn should serve as a wake-up call: the Internet of Things ecosystem is completely, and utterly, broken. Poorly supported and insecure devices brought an important part of the Internet’s infrastructure offline and took many high-profile sites with it.
To recap, a very large-scale attack (Dyn says that tens of millions of discrete IP addresses were part of the attack that targeted them) hit Dyn last Friday (October 21). The first attack began at 7AM Eastern time and primarily affected users on the East Coast of the United States, but was mitigated in approximately two hours. A second attack at approximately 12PM Eastern affected more users globally; mitigation took an hour. A third attack was launched later that day but was mitigated without customers being affected at all.
Where did this attack come from? A large portion of this attack was carried out by Internet of Things (IoT) devices infected by Mirai malware, which we detect under the ELF_GAFGYT family. (There is no one single Mirai botnet anymore, as its source code was released to the public at the start of October and it can now be used by any attacker.)
Most of the blame for Friday’s attack was laid on the doorstep of a white label manufacturer of DVRs and webcams. This manufacturer has issued a recall for some of their vulnerable devices, which is a welcome (and potentially costly) move. It is likely that devices from other manufacturers were involved as well, however.
Figure 1. Overview of a Mirai DDoS Attack
The Attacks Will Continue Until Security Improves
It’s a bit of a stretch to call these attacks “unprecedented” – just a few weeks ago, Brian Krebs was hit with a DDoS attack by the Mirai botnet as well. What is certain is that until we find a way to secure the Internet of Things, it won’t be the last.
When it comes to the Internet of Things, the balance of power is currently in favor of the attacker: there are too many IoT devices that aren’t secured, can’t be secured, and won’t be secured. Denial of service attacks just became an even more potent threat: threatening companies with being knocked offline just became a far more potent and believable idea.
IoT itself brings real-world consequences to DDoS attacks – what happens when these devices can’t connect to their central servers? Sometimes, they don’t handle it well. It used to be that a DDoS attack was, in the grand scheme of things, only an annoyance. Now, with more and more important functions going online, it’s a serious threat.
A Broken Ecosystem
Clearly something has to be done about securing the Internet of Things. Unfortunately, saying this is a difficult problem is an understatement. We can’t expect users to suddenly become experts and secure their devices. The number one priority of end users has, and always will be: make their stuff work.
What about the sellers of IoT gear? Not all of them might have the technical know-how to fix what they sell. In some cases these sellers merely rebrand the products sold by white label manufacturers. Can a mere reseller and importer of goods actually support what they sell? The answer is: probably not.
This leaves us to the actual manufacturers of IoT gadgets. Unfortunately, commercial pressures have meant that post-sales support for these devices is poor. Security is not a priority – ease of use, new features, and a quick time to market are. An IoT OEM has no reason to invest in security – no vendor has gone out of business because their product is insecure. In addition, long-term support costs time, resources, and money – all things a manufacturer wants to reduce.
In short, no one here has the incentives to do the right thing – secure their IoT equipment. As far as security is concerned, the IoT ecosystem is broken.
Will regulators have to step in?
This breakdown in the world of IoT isn’t sustainable in the long term. Once the real-world consequences of this IoT insecurity are clear, it’ll become increasingly likely that government regulations would have to be enforced.
Regulations have long been considered unwelcome in tech circles, but would it really be that unprecedented? Most electronic devices already need to meet various safety standards. Would a certification against basic security mistakes be that far off?
It would be asking too much to ensure that any IoT gadget would have no vulnerability. However, would it be too much to ask for basic security mistakes – open ports, default credentials like admin/admin and sent without encryption – to be excised from IoT gear? If the IoT manufacturers want to make their devices part of the daily lives of their users, would it be too much to ask them not to burn down the rest of the Internet along the way?
IoT security will get better – eventually
In the long run, better IoT security is coming. The consequences of insecure IoT will become painfully clear, and it will be considered unsafe and perhaps illegal. You can’t sell unsafe cars or appliances – and in the future, neither will you be able to sell, say, an online camera with a wide open telnet server.
How will the IoT industry get better at making secure devices? In effect, they will either be forced to learn improved security practices or face not being able to sell their products at all. Simple awareness of the security risks will be enough to remove the most egregious flaws found in current IoT devices. Security vendors such as Trend Micro are also working on technologies and products that ordinary consumers can use to secure their own home networks. (We already detect the Mirai malware, and our TippingPoint products are capable of detecting Mirai-related network traffic as well.)
We’re already seeing some signs of progress, both on the part of industry and regulators. The European Commission is now considering new regulations to cover the security of IoT devices. Industry groups have released a road map for securing IoT devices. We’re seeing the beginnings of an ecosystem start to take security seriously, and it is happening not a moment too soon.
The transition from an insecure ecosystem to a secure one will not be painless. Until we do manage to get there, we will see more serious security incidents that were made possible by insecure IoT. It is up to the IoT industry, security vendors, and regulators to help make that transition as fast as possible.
Note: After publication of this entry Dyn revised the number of endpoints responsible for this attack to “up to 100,000”.
