Last weekend’s massive distributed denial of service (DDoS) attacks that crippled the internet came from a network of consumer devices including routers, IP security cameras and digital video recorders (DVRs). The events was a realisation of what security researchers have been warning for years; that the internet-of-things (IoT) can be exploited by cybercriminals for damaging attacks. Woeful security practices from technology vendors and software developers have made this problem worse and it could take years to fix these prevailing issues. Here’s what security pundits have to say about why the insecure IoT problem won’t be going away any time soon.
The DDoS attacks were specifically targeting dynamic domain name service (DNS) provider Dyn and they pounded its US datacentres with garbage traffic, incapacitating their servers. Dyn provides DNS services for a range of big internet-based companies and websites, including Spotify, Netflix, Twitter, the New York Times and Wall Street Journal. Those websites were either slow to load or completely inaccessible during the DDoS attacks.
One of the most troubling aspects of this incident is that attackers hijacked tens of thousands of simple basic internet-connected devices with the Mirai malware to create a botnet that targeted Dyn. Mirai’s source code was leaked last month which means it’s likely that these kinds of IoT attacks will become increasingly prevalent.
What is more concerning is how these devices were roped into this botnet in the first place and it highlights the glaring security potholes that have become too big to ignore. Consumer gadgets are getting smarter every day and we’ve seen a wave of internet enabled products flooding global markets. Technology vendors are obsessed with making ‘smart products’ that connect to the internet without even stopping to think if that’s really necessary. Smart kettles? Please.
This wouldn’t be such a big problem with all technology makers cared about security best practices. We’re not just talking about the big technology companies that should know better; plenty of budget technology vendors are flooding the market with cheap internet connected products and they either don’t know or don’t care about securing their goods to protect consumers. Hangzhou Xiongmai Technology, a company that makes parts for DVRs and internet-connected cameras admitted that security vulnerabilities involving weak default passwords in its products were partly to blame for the DDoS attacks over the weekend.
“We have a problem with consumer devices being shipped with default logins and passwords; there has not been any process in changing that,” Richard Johnson said at a panel discussion at Ruxcon 2016 in Melbourne. He’s a specialist in computer security and is currently the manager of vulnerability development for Cisco Talos. He said vendors often just ship out products like routers and security cameras with default passwords and expect users to change them later down the track; but users often don’t do this, which leaves their devices exposed as easy targets for attackers. “You can’t force consumers to change passwords.”
But even if users do change these login details, there is still prevailing problems at the software layer. Johnson noted that many developers for these products don’t follow best practices for secure software development.
“People are writing individual pieces of firmware at scale where they simply aren’t investing in doing things like code auditing and fixing problems,” he said. “Hopefully we will see some pressure from the market that people are interested in buying more sophisticated software or through policy where we’ll ban [insecure products being sold].
“… This is a big problem that is going to take maybe a decade or more to [fix].”
Having government or consumer groups vetting electronic goods to ensure they meet at least basic security requirements before they are sold in a given country is an approach that Johnson sees as one way to combat this IoT security issue, but he concedes that it would take a lot of time and effort.
“I think it’s going to becoming more a trend now that we will see IoT [attacks]. But the problem is on the defensive side we don’t have solution for those those vulnerable cameras and DVRs,” Methusela Ferrer, antivirus researcher at Microsoft’s Malware Protection Center, said at the Ruxcon 2016 panel. “We have source codes [for botnet malware] and we have workable codes working in the wild but we have no solutions — that’s the scary part.”
People are going to continue buying cheap internet-connected smart home devices and unless there is a concerted effort by these technology vendors to up their security game, expect to see more IoT botnet attacks in the future.