Last week's wave of worldwide DDoS (Distributed Denial of Service) attacks through the use of unsecured Internet of Things (IoT) devices is both disturbing and revealing. Disrupting prime-time access to e-commerce and social media sites has some near-term implications, but also signaled the launch of an arms race between bad actors and the White Hat community – with the future of the IoT clearly between them. In the long run, the White Hats will win, but the question is how long it will take them.
Sites affected by the Marai malware-based attack on service provider Dyn (News - Alert) included AirBnB, Amazon, CNN, GitHub, Netflix, Reddit, Spotify, and Twitter. The attacks were the largest to date, with a previous attack a few weeks prior launched against the Krebs on Security website delivering a record-setting 620 Gbps DDoS attack against a single target.
If you want a root cause for last week's botnet attacks launched against a major Internet DNS (Domain Name Service) provider, akin to the phone directory mapping IP addresses to websites, it's haste and greed. Manufacturers in a hurry to crank out Web cameras, DVRs, and various other IoT devices ignored basic security measures in the rush to put their devices into the market place. Default and/or easy-to-guess passwords and an inability to distribute security fixes are at the heart of the ability for bad actors to find and exploit unsecured IoT devices.
Chinese manufacturer Hangzhou Xiongmai Technologies has admitted its products were used in the latest attacks, with its IP cameras and DVRs running older versions of its firmware still vulnerable. The company recommends its customers update firmware and change default user names and passwords – assuming they have the devices and know how to run the updates. There has also been talk about Hangzhou doing a recall of devices, but this may be challenging as the company has OEMed its tech as well.
We've seen this all before in the Wi-Fi world, making the current wave of unsecured devices not just a learning experience, but benign neglect at best, intentional and willful disregard for the consequences at worst. The Wi-Fi world evolved over the years, adding new layers of security encryption and getting rid of default passwords and logins, with other security features turned on by default after complaints by the community.
Now the IoT community is forced to play catch-up, with vendors having to validate their approach and implementation to security. For those who have been slackers, it's a matter of rushing out patches and rolling in best practices in current and future products. Expect a lot of service providers and the 5G world that have bet heavily on IoT to retool messaging and offers to emphasize security.
For the security community, the DNS DDoS IoT attacks represent the latest intellectual challenge. One proposed countermeasure under discussion would be to preemptively "bot" – takeover – unsecured and vulnerable IoT devices to prevent them from being used in a mass attack. How legal and ethical such a tactic is is another story – a 21st century "fight fire with fire" – but it goes to show what measures some are willing to consider in order to keep the Internet going.
Other counters to the current IoT security problem are filtering within local networks to prevent local devices from communicating and being compromised by an external party and upstream filtering at the service provider level to prevent compromised devices from flooding servers on another network. Down the road we may see a sort of session border controller (SBC) for IoT traffic or some additional software tricks added to deep packet inspection (DPI) to thwart bots controllers from amassing large numbers of devices. ISPs may also start virtually "disconnecting" compromised devices if they can't be upgraded or fixed, simply refusing to move traffic from them in the most extreme case.
Certainly this won't be the last "It crashed the Internet" moment (Google (News - Alert) "Morris Worm" to find out the OG moment). Once this is fixed, there will be other threats in the ongoing arms race between bad actors looking to make a couple of quick bucks and security experts that get paid to keep social media up and ecommerce sites going.