Last Friday, multiple massive distributed denial of service (DDoS) attacks hit Dyn, an internet performance management company headquartered in New Hampshire. Dyn is a managed DNS provider to many of the large companies on the internet such as Twitter, Reddit, GitHub, Paypal, Spotify, Heroku, SoundCloud, Crunchbase, Netflix, Amazon, and others.
News surfaced over the following weekend that the Mirai IoT (Internet of Things) botnet was at least partially responsible for the attack, and according to Dyn, was generating traffic from “10s of millions of discrete IP addresses.”
Instead of rehashing details of how this could have occurred, we want to discuss botnet attacks as part of the new reality in our connected world, and as such, how device manufacturers and device users need to respond. We also want to take a look at the role that governments can or cannot play.
Connected Devices of All Types, Everywhere
Ubiquitous — it’s an over-used word, but it truly applies here. A huge range and number of Internet-connected devices exist, including cameras, DVRs, thermostats, light bulbs, toothbrushes, teapots, clothes dryers, pet feeders, home security appliances, payment transaction devices, health monitors, personal emergency response systems, and on, and on. In other words, connected devices are everywhere — in the home, in the car, on our bodies, in the workplace, in our hospitals, and everywhere else you can imagine.
When there’s a DDoS, it isn’t just your ability to get on Facebook that’s impacted. All areas of our lives are disrupted, from entertainment to commerce to physical and personal security to health matters that have — potentially — very serious implications. Sometimes, denial of service is just an inconvenience; other times, it can be life threatening.
An Inconvenient Truth
Many of these devices are not inherently secure, and it’s way too easy to commandeer them with a botnet like Mirai.
So what to do? Let’s answer this from two points of view: the manufacturers’ and the end-users’.
At the outset, we should mention that Hangzhou Xiongmai Technology, the manufacturer of many of the devices used in the attack, is planning to issue a device recall on some of its vulnerable products.
While a recall may help to get some of these insecure devices off the Internet, it’s incredibly likely that many will stay connected and unsecure and that far more devices from other manufacturers are sitting idle, waiting to be compromised — or are being used maliciously already.
So let’s shift the focus from after-the-fact “responsibility” to proactive steps that device manufacturers can and should take.
As we often say in this blog, security should be integrated from the outset, whether it’s into an organization’s infrastructure and practices or into an IoT device. With that in mind, manufacturers need to replace the current practice of shipping products that offer consumers no way to upgrade or protect themselves, with products that can be upgraded. A shift needs to take place whereby a much stronger focus on consumer security is built into the product development cycle. It’s not lack of processing power that makes devices vulnerable; it’s lack of will to build processing power into the devices in the first place. Some manufacturers already respect this and have a forced password reset on first login, or randomly generate a password per device.
Most of us, as end-users, show a degree of complacency in our acceptance of IoT devices and our generally lax approach to Internet security. But unless end-users follow basic security practices, the security loop is incomplete and devices remain vulnerable. At a minimum, consumers should research carefully whether any type of security update mechanisms are built into the devices they are planning to purchase, and they need to stop using default (or otherwise weak) passwords. Easier said than done, of course, but it would appear that many manufacturers only respond to market forces or public shame.
When the well-being of the community is being threatened, can governments step in? Ironically, their options are often limited. In many democracies, it is not legal to access a computer without the owner’s permission, even if the intent is to do good. In the United States, for example, it is illegal to access a computer without authorization, according to the Computer Fraud and Abuse Act. The same is true in Holland where Dutch authorities came under fire in 2010 after uploading a file to computers that had been infected with the Bredolab botnet, in order to use that file to redirect users’ browsers to a web page in an attempt to inform them that they’d been hacked.
This leaves us with quite a dilemma. It is probably safe to say that many of the connected devices involved in last week’s DDoS will not be returned, can’t be updated, and will remain active. It is theoretically possible to “brick” these devices and render them useless. But should we? Should the U.S. or another country take action to prevent these devices from further targeting infrastructure? What are the implications of such an action? What if the intended fix introduces even bigger flaws?
The Mirai botnet was performing smaller scale attacks prior to the one against Dyn, and has continued to attack after Dyn successfully mitigated the attack on Friday. So this simply means that malicious activity from this botnet is an ongoing problem with no real end in sight.
While there’s no way of preventing attacks like Mirai, there are steps that the connected community can take — from manufacturer to end-user — to mitigate attacks when they do happen.
DDoS may be part of the new reality, but we don’t have to accept it as the new norm.