Bad omen for the IoT future
By Ajith Ram November 10, 2016
- Recent attack due to very weak IoT security
- Immediate overhaul of IoT security required
OF ALL the cyberattacks in 2016, the one on Oct 21 that disrupted much of the internet could very well go down in history as one of the biggest and most significant. It could also turn out to be a bad omen for the impending Internet of Things (IoT) future.
The evidence so far points to multiple botnets of internet-connected gadgets being responsible for blocking access to the Domain Name Service (DNS) infrastructure at DNS provider Dyn. Botnets are coordinated teams of compromised devices that send malicious network traffic to their targets. These 'evil' botnets were controlled by Mirai, a self-spreading malware for IoT devices.
Once the hackers took control of these devices, they were instructed to send an overwhelming number of requests to Dyn which serves up the websites for Netflix, Google, Spotify and Twitter. When the traffic became too much to handle, the sites crashed. It was an old-school attack called a distributed denial of service attack, or DDoS.
If you wish to understand how a DDoS attack works, see the video below.
In a blog post after the attack, Dyn said "tens of millions" of devices were involved in the attack. More troubling still, other systems which were not infected with Mirai were also reportedly involved in the coordinated attack on Dyn. This could mean that hackers have learnt to integrate multiple malware-infected systems for a single coordinated attack.
The objective may have been blackmail as the attacker asked for a payout from Dyn. The huge disruption caused by the attack could also prompt copycats in future. Always ready to take credit, after the attack, Wikileaks urged its "supporters to stop taking down the US internet."
Interestingly, Dyn is the name service provider for Sony’s PlayStation Network, which was also hacked in 2011.
The really troubling aspect of the October attack is that the world has not even properly entered the predicted IoT future. The attack highlighted the immense disruptive power of the millions of badly protected IoT devices. This army of 'evil' can be unleashed on individual websites or the core infrastructure of the internet.
Mirai is not the first IoT botnet to make headlines. LizardSquad's infamous 'stresser' service was built on compromised home Wi-Fi routers. These were used for attacks on the PlayStation Network and Microsoft's Xbox Live service.
The attacks themselves had been predicted by security researchers for years. Mirai is hardly a piece of great software engineering. It just uses some of the worst security decisions made by manufacturers of internet-connected devices. Despite rising alarm and a growing number of warnings, these security fiascos will hobble the net and consumers for years to come.
Most of the devices compromised by Mirai use firmware from Chinese electronics manufacturer, XiongMai Technologies. According to Fortune magazine, the company has recalled its devices after the attack.
XiongMai blamed the hack on users not changing the default passwords. But many experts disagree. They say that the reason XiongMai's firmware is such an easy target for Mirai is that it includes a setup interface that is a hard-coded 'backdoor'. This is an administrative username and password which cannot be changed. The default credentials are hard-coded into the firmware.
The affected devices include Panasonic printers, SNC and ZTE routers, dozens of network-connected cameras and digital video recorders. To make matters worse, some of these default passwords cannot be changed by the user. In other words, most of the company's devices are like cars with open doors.
The additional problem is that changing the default passwords is no guarantee of protection. Hackers now have very sophisticated methods at their disposal like hacking Telnet and SSH. Telnet and SSH are command-line, text-based interfaces that can be accessed via a command prompt - just like the one in Microsoft Windows.
There can only be one clear solution to this problem - a complete top to bottom overhaul of the security protocols underpinning all IoT devices. This overhaul has to begin with an immediate review of the existing protocols and proposals for new ones which would make IoT devices more hack resistant. The best organisation to do this would be the Institute of Electrical and Electronics Engineers (IEEE).
Secondly, security and regulatory agencies throughout the world will need to take a hardline approach towards manufacturers that do not comply with IEEE's recommendations; articularly Chinese manufacturers like XiongMai. If they are found to be in breach of the recommendations, there must be sanctions. These must include the complete ban on all their products for a minimum period of time.
Until such actions are taken, the internet will remain susceptible to attacks by compromised IoT devices.
Tiket.com boosts security and anti-fraud chops with CyberSource tech
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.