How would you feel if you found out your new security webcam instead of protecting your family was part of a massive “botnet“ of enslaved devices sending out wave after wave of malicious Internet traffic to overwhelm popular websites? A bit uncomfortable? Actually, this isn’t the plot for a new science fiction movie – a version of this actually happened on Friday October 21st.
The term “Internet of Things” probably doesn’t mean much to most people. And that’s probably ok. But as more and more of these devices get into peoples homes, you might ask yourself who is looking after the security of those devices. If I said it’s supposed to be you, you’d be forgiven if your first thought was, “Isn’t that the manufacturer’s responsibility?”
I’d wager the vast majority of people have no idea how to change the security settings on network-enabled cameras, thermostats and other devices. They might be thinking that they probably came from the factory already secured and ready to go. But the reality is slightly different.
Last Friday a botnet called Mirai took down DNS provider dyn.com for a significant portion of the day. In this case the botnet used unsecured Internet of Things (IoT) devices to send out malicious data to dyn.com to overwhelm that site with requests so it couldn’t respond to normal traffic.
Here is a quick diagram that briefly summarizes how the attack worked.
Even though IoT devices can’t send out high volumes of traffic, when you put a whole lot of them together they can quickly overwhelm some of the basic infrastructure of the Internet. Some estimate that there were about half a million devices involved in this recent attack. And there are a whole lot more devices going to be put online if recent estimates by McKinsey are any indication.
What is now becoming known is that the devices responsible for this had default passwords that were set up months or even years ago that never got changed by the end user. Some devices even had their security “hard-coded” so that there was no way a consumer could change it.
There is a list of about 60 passwords that were recovered from the source code from the Mirai botnet, which was also released to the public recently. Here is the list of passwords which has been discovered so far (note some are not safe for work)
In the very hot IoT space device manufacturers have been working hard to get products to market as quickly as possible. One of the problems with this is that there are several components that go into one of these devices and a lot of them are sourced from other manufacturers.
Here is an image of the internal workings of one of these devices
In order to understand the security risk, a manufacturer has to understand how the device communicates with the network and what components are responding to network requests. So they not only have to understand how they’ve intended their device to interact but all of the sub modules in their device as well. Which means that buying a Wifi or Bluetooth radio for a device isn’t like going to the Wal-Mart and buying a toaster – as a device manufacturer, you have to know the security that’s built into that chip and how it can be secured by your customer.
Another problem is that when a consumer goes out to Best Buy and purchases one of these devices, it’s often not very apparent why they should spend the time to change the default security settings. It seems like a lot of work. It’s not straightforward. And what is the risk that hackers will target their specific device? The risk is that hackers are always probing networks, looking for an opportunity to take over devices just like we saw with this most recent attack.
Manufactures and vendors have not done a fantastic job of making customers aware of the need to update the security settings as well as making it a quick and easy job. [Note: Here are some tips from Consumer Reports on how to strengthen your network devices.]
Some researchers have suggested that this might be the first wave of attacks. Perhaps the next one could be the voting process. Or other infrastructure targets.
Dave Larson, CTO/COO at Corero Network Security notes, “When combined with other methods, particularly IoT botnets, we could soon see attacks reaching previously unimaginable scale, with far-reaching impact. Terabit-scale attacks could soon become a common reality and could significantly impact the availability of the Internet– at least degrading it in certain regions.”
As more and more of these devices get connected to the Internet, more people realize that security really does matter and that leads me to a question I’ve been thinking about over the past several days. Is device security as important as consumer safetyis for a blender? Or a lawn mower? Pretty much any device with the motor [or for that matter a circuit board] has to be certified by an agency that it’s not harmful to human health. It could be for resistance to electrical shocks, vibration, or any of the host of other activities that might endanger the health of the consumer that purchased the unit.
Is it time to treat security like safety? Should these devices have to go through some sort of approval process to at least determine what security impacts there could be as they’re installed in people’s homes?
It’s not an easy question to answer because security is an ever-changing, moving target. What is deemed to be “secure” today may not in fact hold up to hackers next month or next year.
It may be that this process is not a test for “security,” but that the device’s security settings are easy to modify. Additionally there may be some sort of internal monitoring function that can report if the device is not acting in line with its original intent.
I maintain that we need to start asking these questions and soon as the number of IoT devices is projected to climb rapidly in the next 18 to 24 months. I sincerely hope that we learn from this event on how to prepare more effectively in the future so we don’t find ourselves living through the online version of the Night of the Living Dead.
So do you think we need to start treating security more seriously?