Dyn DDoS Attack Reveals IoT Security Failures
It looks like security in the Internet of Things, whose vulnerabilities has been a topic among tech experts for some time now, might finally have been exposed to the light of the mainstream.
First, though: DDoS attacks are not hacks. I just want to get that out there right off the bat. It’s a common misconception, continually perpetuated by articles here and there, but Distributed-Denial-of-Service attacks are more akin to traffic overload and congestion. This is a fairly accurate depiction of the process.
I suspect this confusion will change a little after last week, when large parts of the Internet in the US and on the west coast of Europe were slowed or made inaccessible. A number of popular sites were affected, from Twitter to Reddit to Spotify to PayPal, among others. And while we still don’t know exactly ‘who’ was responsible for Friday’s unprecedented attack, the ‘what’ was quickly discovered. Connected devices, infected and co-opted with malware known as the “Mirai botnet,” propagated a botnet army to target domain name servers managed by Dyn (which sounds a little too close to Cyberdyne), all of which served to take down a crucial part of online infrastructure. Business operations were thus also disrupted, as access to important data and functions was cut off, and IT departments rendered powerless to do anything but wait for Dyn to fix it. All told, Dyn, one of the largest ISPs in the world, ended up having to deal with three separate waves of DDoS before the day was over, and the ship could be righted.
Shortly afterwards, Chinese electronics manufacturer Hangzhou Xiongmai Technology—a vendor of DVRs and internet-enabled cameras—admitted that its products had been compromised by Mirai and played a substantial role in the day’s events among the tens of millions of IP addresses used to assault Dyn. Weak default passwords, and no requirement to change them, as well as outdated firmware, allowed the botnets to break in. Xiongmai might not have been the only vector; since Mirai’s developer released the source code, any hacker could take advantage, and target other, similarly poorly-secured devices. Copycats could even attempt a repeat performance. “Mirai is a huge disaster for the Internet of Things,” Xiongmai told IDG News Service, adding that they “have to admit that our products also suffered from hacker’s break-in and illegal use.”
I’ve written in the past about the flaws in IoT security, in the bulwarks connected devices have against the dangers of the Internet: the IoT is still relatively new, a Wild West where malicious actors can roam freely and compromise devices as they please. An incident like this was probably inevitable, especially with the lax attitude generally taken towards IoT security.
Perhaps consumers, meanwhile, have already been taking notice. A recent survey from ESET and the National Cyber Security Alliance reveals a greater discomfort with IoT devices than their proliferation might suggest. 40 percent doubted the security of smart thermostats and other appliances, while 50 percent said security concerns had prevented them from owning connected devices. Many could not remember whether or not they had even changed the default password on the router used by their connected devices.
It might be tempting to place an inordinate amount of blame on consumers—and many could stand to be more cognizant of their online safety—but the primary responsibility lies with developers. Security should be designed in accordance with known user behavior. Who knows, maybe the Dyn attack will begin to increase awareness, and bring some kind of order to the lawlessness of the IoT security landscape.