Has IoT Pushed Cybersecurity To Its Breaking Point?
Some events serve as watershed moments that are inexorably seared into our collective consciousness; The attack on Pearl Harbor that catapulted the U.S. into the second World War. The day President Kennedy was assassinated. And sadly, the events of 9/11.
These dates serve as a constant reminder that safety requires vigilance.
However, recent events involving Internet of Things (IoT) devices being used to launch Distributed Denial of Service (DDoS) attacks could change the way we live in ways that the public at large is totally unprepared for. September of 2016 will likely go down in history as the moment where the bad guys finally opened Pandora’s “cyber” box and turned the Internet back on its users.
As is often the case with a historical turning point, we missed the red flags that an inflection point was rapidly approaching, despite the advance warning that our core safety was quickly coming to an end. For some time now, members of the cybersecurity community have sounded alarms about the inherent dangers of insecure devices being connected to the Internet.
Now, we commonly refer to Internet-connected devices as belonging to IOT, but in reality, we have used the Internet to connect devices other than traditional personal computers for decades. But what has now changed is that billions of electronic systems are now interconnected via the Internet, with the bulk of them being hurried –and insecurely - manufactured and sold to consumers without thinking about the security ramifications.
These systems range from simple wearables - such as smart watches, health and fitness monitors, to household lamps, refrigerators, smart thermostats, power meters, and all the way up to nuclear generating systems, water and power plant control systems, airplane jet engines, and ATM machines. And perhaps most notably and notoriously, household security cameras and digital video recorders fall into the IoT category.
All of these devices now rely on sending and receiving data via the Internet, and because of this, they can now be remotely compromised and repurposed to form giant botnets that deliver massive DDoS attacks. This, then, is your IoT, a Trojan horse that we quickly adopted and may soon live to regret.
And now our predictions – and fears – have been realized. Let me explain:
Against the backdrop of this year’s Summer Olympics, on August 31, 2016, Arbor Networks reported a DDoS attack at a sustained level of over 500 gigabits per second (gb/s), targeting Olympic-related websites. Post event analysis revealed that the bulk of the attacking devices were security cameras and DVRs used to store the security camera footage. These attacks were successfully handled by mitigation services but stressed their capabilities.
On September 16, 2016, a DDoS attack was launched against respected security journalist Brian Krebs, legendary for having exposed major criminal attacks and the individuals behind them. His website had been protected pro bono for some time by Akamai/Prolexic, a well-known content distribution network, and DDoS mitigation company. Although not confirmed, Krebs has attributed the attack to a story he published that resulted in the arrest in Israel of a pair of “DDoS for hire” criminals. Notably, this DDoS attack mirrored the profile of the Olympic DDoS attack, peaking at almost 650 gigabits per second (gb/s).
This attack continued until September 23, at which point Akamai/Prolexic reportedly told Krebs that the impact of the attack on Prolexic’s infrastructure was disrupting their ability to service their commercial clients, and asked him to look for an alternative provider. During the prior week, there were sporadic reports of service outages by Akamai/Prolexic customers and users, likely due to this large attack. At 6pm EDT on September 23, Krebs’ website “went off the ‘net.”
After some discussion by a small group of major DDoS Protection Service Providers, it became clear that given the potential impact from any increase in the size of the attack, the only likely network that might survive the DDoS attack (especially if it continued to escalate) was that of Google. And although Google is not a commercial DDoS Service Provider, over that weekend they stepped up and agreed to host Krebs’ website under a program known as "Project Shield".
This little known but admirable service is described on Google’s website as “a free service that uses Google technology to protect news sites and free expression from DDoS attacks on the web.” Starting the following Monday, September 26, Krebs’ website was relaunched and it continues to be reliable and available.
The third big IoT sourced DDoS attack came on September 19, 2016. In the midst of the attack on Krebs’ website, the CEO of OVH, a major French ISP, reported a series of debilitating DDoS attacks of over 1 terabits per second (tb/s). The attack profile, once again, was similar to that of the Krebs’ and Olympic website assaults. Note that this meant that the combined Krebs/OVH attacks were generating in excess of 1.7 tb/s of simultaneous traffic, capable of disrupting many major backbone providers, and well in excess of the loads that most DDoS mitigation service providers could handle. He later reported that his company had identified around 150,000 unique devices involved in the 1.5 tb/s attack against his network
The IoT Problem:
An analysis of these events has shown that most of the devices used in the attacks are IoT-enabled security cameras and associated equipment. These devices share a common flaw in that they are configured and shipped with the same well-known and weak user ids and passwords common to all devices of each model. In addition, at least one of the devices is built using a third party component where the default user id and password are hard coded and CANNOT be updated or changed by the user.
And then, on Friday, September 30, 2016, the source code for the malware responsible for these DDoS attacks, known as “Mirai”, was released publicly via Hackforums, a well-known hacker’s hangout. The malware has since been examined and validated by a number of experts as being capable of carrying out the attacks. Their consensus is that the code is well designed, likely written by an above-average developer or group of developers, and that it also includes encryption capabilities making it especially hard to disrupt and control by network operators.
In addition, Level3, a major service provider, has reported that its engineers have identified a second competing IoT botnet dubbed “Bashlight” which has similar capabilities.
Despite concerted action by the security community, thousands of downloads of the source code for Mirai have occurred, almost certainly including downloads by criminals and other miscreants.
How The IoT Attacks Work:
The charts below, published by the Dshield organization, show the scanning activities starting in January of 2016 for the two common Internet ports used for managing most networking devices such as routers and switches, port 23 and port 2323 (Telnet). This protocol is also used for connecting and managing many other types of IoT devices such as smart meters, intelligent home thermostats, smart light bulbs, as well as security cameras and recorders for those cameras. Unfortunately, in the eternal conflict between ease of use and security, manufacturers often opt for the former, and weak passwords are the norm for bulk devices.
As you’ll see in this graph, starting in late June 2016, scanning for these devices increased followed by a tail during the Olympics. Then in August and September, we see a spike, leading up to the OVH and Krebs attacks. And finally, on September 15, we see another spike of almost four times the previous week. This level has continued, leaving everybody in the cybersecurity field waiting and wondering when the next attack will occur.
In addition, the following charts provided by Qihoo 360 Labs, China's largest Internet security company with 600 million users, show scanning attempts by compromised systems of IP addresses located in China. Their data shows similar spikes and patterns.
Given the number of IoT vulnerable units already shipped and installed over the last few years (conservative estimates are in the many tens of millions), it is likely that current DDoS mitigation techniques will not be able to defend networks or systems, and that any large attack utilizing more of the already compromised IoT devices will result in significant failures of large portions of the Internet including elements of critical infrastructure. It is also possible that an attack by these botnets would be sufficient to threaten the U.S. economy.
We are rapidly approaching the critical point of no return when it comes to attempting to secure our future. However, although we’re nearing the precipice of a major Internet calamity, we may still have time to act.
Given the potential damage to the U.S. as well as global economies, public and private organizations internationally MUST begin to work together to formulate plans to cope with these attacks. This should include preemptively developing and implementing standards regarding the security of these devices starting with the manufacturers, as well as following best practices within networks to squelch attacks at their sources. Manufacturers who refuse to implement the changes must be restricted in their ability to distribute their products. The pendulum HAS to swing back from ease-of-use to security.
Make no mistake; this year’s events of August 31, September 16, and September 19 should deeply concern everybody. And by everybody, I mean every global citizen who either directly or indirectly interacts with the Internet. Our banks, modes of transportation, and the convenient everyday life that we’ve come to enjoy are all under attack by the rapid proliferation and insecurity of IoT devices.
For more on what CEOs should know in today's cybersecurity landscape, click here.