The flood of Vulnerable Internet Connected devices allows massive DDoS attacks on Dyn DNS Provider!
What does IoT really mean?
IoT stands for Internet of Things, over the last decade, the amount and methods with which we connect to internet services have changed, broadband has become more widely available this, together with decreased connection charges has meant that more and more businesses are offering free Wi-Fi services, meaning that people are connected more and more. This has led to an enormous increase of devices being created with Wi-Fi capabilities enabling them to be connected and centrally controlled via applications over networks to include via the internet.
This allows us to literally just plug-in these devices, power them on and they can connect to each other and the internet. New devices are coming to the market daily which include everything from cell-phones, kettles and coffee makers, headphones, washing machines, door bells , wearables as well as nearly anything else that one can imagine!
Webopedia refer to IoT as “the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems.”(Forrest Stroud, 2016)
In a report by Gartner, they predict that more than half of new business processes will incorporate some element of IoT. (Stamford, 2016) in an earlier report (2015) they estimate that in 2016, there will be 6.4 billion connected things in use worldwide. (Stamford, 2015)
From the very start of the release and development of IoT devices there has been a number of security concerns.
2015 was known as the year of IoT (Hajdarbegovic, 2015), but many rephrased this to the Internet of Insecure Things (IoIT)! Most of this has been well deserved with numerous devices found susceptible to being hacked with several vulnerabilities.
Like every new technology there are early adapters and laggards, some excited, wanting this connected environment whereby their mobile phone will automatically wake them up based on their calendar events and automatically turn on the kettle or coffee maker even prior to their alarm going off, others more pessimistic with regards to big brother and security concerns in general. Others waiting for it to fall and fail!
Either way, I think that we can all agree – IoT or IoIT is here to stay!
What happened last week?
The recent attacks on Friday 21st October 2016 using IoT devices have demonstrated at the very least the taste of things to come, these attacks which affected a number of websites used internet enabled cameras as a platform for a Distributed Denial of Service (DDoS) attack. In these attacks manufacturer set passwords which had not been changed by users where exploited.
Hangzhou Xiongmai Technology, a vendor behind DVRs and internet-connected cameras, said on Sunday that security vulnerabilities involving weak default passwords in its products were partly to blame (Kan, 2016).
This emphasis the worry from security experts worldwide that IoT systems may potentially be used to disrupt critical infrastructure, including telecommunications, transportation and the power grids.
Friday’s attack affected 80 major websites by overloading the Domain Name Service Provider Dyn. Predominantly being blamed on the Mirai botnet, other sources say that Mirai was only part of the attack, and that the attackers rented a number of services from similar botnets. An interview by Dale Drew, CSO of Level 3 communications said that “other systems not matching the signature of Mirai were also involved in the coordinated attack on Dyn”. He is quoted as saying “We believe that there might be one or more additional botnets involved in these attacks” (Gallagher, 2016)
These attacks have caused officials to fear further attacks, according to Computerworld a “U.S. Senator has joined security officials calling for stiffer cybersecurity for Internet of Things (IoT) devices following a major attack last Friday” (Hamblen, 2016).
Although a number of organisations blame state sponsored hackers, in their After-Action Analysis report, Flashpoint state that “despite public speculation, Flashpoint assesses with a moderate degree of confidence that the perpetrators behind this attack are most likely not politically motivated, and most likely not nation-state actors” (Nixon, Costello, & Wikholm, 2016).
TheRegister.co.uk reported on the 24th October that “New World Hackers, a previously known group, claimed credit for the assault”, which they said was a “capability test”. The same group briefly knocked the BBC offline last year (Leyden, 2016).
Dyn released a statement on 22 October 2016 which can be viewed here http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/
Where we aware of these Security Vulnerabilities?
The recent attacks over the last few weeks have not come to most as a surprise, it is something which has been feared for many months and has been well predicted and wrote about, in February 2015, Alex Drozhzhin wrote on a blog on Kaspersky labs about this saying “There is a flood of appliances which could be connected – and some are connected – without a second thought as to whether or not it’s necessary. Most people barely give a second thought that a hack of a smart-connected appliance could be dangerous and a lot more threatening than a simple PC hack.”(Drozhzhin, 2015) in this blog, Alex outlines how several devices have been easily hacked to include a car wash!
Previous Similar Attacks
There has been several well-known attacks similar to this:
In 2014, LizardSquad’s “stresser” service which used compromised home Wi-Fi routers, announced that it was ready for business with Christmas attacks on the PlayStation Network and Microsoft’s Xbox Live service. (see http://tombrett.ie/playstation-and-xbox-networks-attacked-on-christmas-day-by-a-ddos-attack/)
We also witnessed similar attacks in 2010 by Anonymous using the open source, low-orbit ion cannon tool, or the 2014 DDoS attacks launched from compromised Joomla and WordPress servers, all showing a clear lead up to this kind of event.
Just a month previous we witnessed some of these attacks, when the Krebs on Security blog written by Brian Krebs suffered an attack delivering 665Gbps of traffic overwhelming his site (Greene, 2016).
Release of Mirai Source Code
After the attack on the site ‘Krebs on Security’, on the 30th September 2016, a HackForum user by the name of Anna-Senpai actually leaked the source code for the Mirai botnet, it has since been speculated that the perpetrator was trying to hide their attacks after attacking sites from the likes of Security Experts.
This leakage has allowed security experts to analyse the code to gain a better understanding of the attacks and more importantly the vulnerabilities being exploited and how to defend against them,
Can we Secure IoT Devices?
So how have we allowed it to get this bad I hear you asking yourself, well in a whitepaper released by windriver.com specify a number of the problems with integrating security on IoT devices where they illustrate that current best practices used to secure other IT equipment are just not available due to the small form factors, storage space, processing power and human interaction in general.
They state that “Blacklisting, for example, requires too much disk space to be practical for IoT applications. Embedded devices are designed for low power consumption, with a small silicon form factor, and often have limited connectivity. They typically have only as much processing capacity and memory as needed for their tasks. And they are often “headless”—that is, there isn’t a human being operating them who can input authentication credentials or decide whether an application should be trusted; they must make their own judgments and decisions about whether to accept a command or execute a task.” (Wind River Systems, 2015)
Another problems is that there is pressure to bring these products to the market and that there is little to no investment on security, Alex makes an interesting statement that these developers know very little about the environment that they are working in with regards to hackers and that “ultimately find themselves in a situation similar to that of an experienced basketball player sitting through a chess match with a real grand master” (Drozhzhin, 2015).
Chinese manufacturer Hangzhou Xiongmai Technology Co told Reuters on Tuesday, that up to 10,000 webcams will be recalled in the aftermath of the Dyn cyber-attack (Jiang & Finkle, 2016)
How do we secure IoT devices
WindRiver.com state that “Security must be addressed throughout the device lifecycle, from the initial design to the operational environment” (Wind River Systems, 2015)
They also provide 5 recommendations as follows:
- Secure booting: When power is first introduced to the device, the authenticity and integrity of the software on the device is verified using cryptographically generated digital signatures.
- Access control: Next, different forms of resource and access control are applied. Mandatory or role-based access controls built into the operating system limit the privileges of device components and applications so they access only the resources they need to do their jobs
- Device authentication: When the device is plugged into the network, it should authenticate itself prior to receiving or transmitting data.
- Firewalling and IPS: The device also needs a firewall or deep packet inspection capability to control traffic that is destined to terminate at the device.
- Updates and patches: Once the device is in operation, it will start receiving hot patches and software updates. Operators need to roll out patches, and devices need to authenticate them, in a way that does not consume bandwidth or impair the functional safety of the device.
In his article cited earlier, Alex (Drozhzhin, 2015) finishes with a statement saying that “Sooner or later, the impact could be detrimental” is this the event that we just witnessed – I think not, but instead just a taster of what is to come!
Drozhzhin, A. (2015). Internet of Crappy Things – IoT |. Retrieved February 23, 2015, from https://blog.kaspersky.com/internet-of-crappy-things/7667/
Forrest Stroud. (2016). What Is Internet of Things (IoT)? Webopedia Definition. Retrieved October 23, 2016, from http://www.webopedia.com/TERM/I/internet_of_things.html
Gallagher, S. (2016). How one rent-a-botnet army of cameras, DVRs caused Internet chaos | Ars Technica. Retrieved October 26, 2016, from http://arstechnica.com/information-technology/2016/10/inside-the-machine-uprising-how-cameras-dvrs-took-down-parts-of-the-internet/
Greene, T. (2016). DDoS attack takes down Krebs site | CSO Online. Retrieved October 1, 2016, from http://www.csoonline.com/article/3123785/security/largest-ddos-attack-ever-delivered-by-botnet-of-hijacked-iot-devices.html
Hajdarbegovic, N. (2015). Internet of Things (IoT) Security Challenges & Where to Start | Toptal. Retrieved October 18, 2016, from https://www.toptal.com/it/are-we-creating-an-insecure-internet-of-things
Hamblen, M. (2016). DDoS attack shows dangers of IoT “running rampant” | Computerworld. Retrieved October 25, 2016, from http://www.computerworld.com/article/3135285/security/ddos-attack-shows-dangers-of-iot-running-rampant.html
Jiang, S., & Finkle, J. (2016). China’s Xiongmai to recall up to 10,000 webcams after hack | Reuters. Retrieved October 26, 2016, from http://www.reuters.com/article/us-cyber-attacks-china-idUSKCN12P1TT
Kan, M. (2016). Chinese firm admits its hacked products were behind Friday’s DDOS attack | Computerworld. Retrieved October 22, 2016, from http://www.computerworld.com/article/3134097/security/chinese-firm-admits-its-hacked-products-were-behind-fridays-ddos-attack.html
Nixon, A., Costello, J., & Wikholm, Z. (2016). Flashpoint – An After-Action Analysis of the Mirai Botnet Attacks on Dyn. Retrieved October 27, 2016, from https://www.flashpoint-intel.com/action-analysis-mirai-botnet-attacks-dyn/
Stamford, C. (2015). Gartner Says 6.4 Billion Connected "Things" Will Be in Use in 2016, Up 30 Percent From 2015. Retrieved October 11, 2016, from http://www.gartner.com/newsroom/id/3165317
Stamford, C. (2016). Gartner Says By 2020, More Than Half of Major New Business Processes and Systems Will Incorporate Some Element of the Internet of Things. Retrieved October 20, 2016, from http://www.gartner.com/newsroom/id/3185623
Wind River Systems, I. (2015). SECURITY IN THE INTERNET OF THINGS Lessons from the Past for the Connected Future. Retrieved from http://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf
Leyden, J. (2016). Hacktivist crew claims it launched last week’s DDoS mega-attack • The Register. Retrieved October 26, 2016, from http://www.theregister.co.uk/2016/10/24/hacktivists_claim_dyn_ddos_responsibility/