Recently millions of IoT devices turned against the Internet and shut down a whole load of major websites. Yet, how was this possible?
Surely with the number of IoT devices set to reach 34 billion by 2020, manufacturers are looking not only to rush their products to market, but improve cybersecurity standards as well.
Well, if the answer was yes on both counts, you might be in for a nasty surprise.
In business, profit equals motivation to build new products. And with the global IoT market set to reach $6.2 trillion by 2025, there’s certainly a lot of motivation going round. But herein lies the rub. Due to the fevered competition to get new products/features out before the competition, there’s actually an incentive for lots of companies not to focus on security. After all, secure devices are often slower and more expensive to reach the shop floor, which are two sure fire ways to lead your business to financial ruin.
Another factor making the ground fertile for coordinated IoT attacks is that consumers simply don’t care about that much about the security of their smart light bulbs for instance. Imagine this. You’re looking to buy a new IoT security camera and you have two products in front of you. One which offers amazing picture resolution, while the other boasts cutting-edge cyber security. Which one do you think you would go for? However, manufacturer and consumer priorities may all be set to change, considering the recent IoT attacks where smart devices across the globe turned against their users.
Mirai, a considerably nasty piece of malware, was behind our recent spate of IoT attacks against Krebs on Security and Dyns.
Mirai operates by hacking into IoT devices, turning them into bots. Once infected, a device’s bandwidth usage increases, and it continuously scans the internet for more products to infect.
Mirai made its debut with its DDoS attack against Krebs on Security, and up to that point, it was biggest such attack of its kind. The malware turned millions of IoT devices (security cameras, routers, baby monitors, DVRs etc) into bots, directing over 665 Gbps of fake traffic at Krebs, forcing it to crash. Then came the recent DDoS attack against the DNS provider Dyn, which really made the world sit up and pay attention to the growing threat of unsecure IoT devices.
Are the Krebs and Dyn attacks a taste of what’s to come?
If you thought the DDoS attack against Krebs was massive, think again. On October 21st, Mirai once again enslaved an untold number of IoT devices. But this time, it directed a massive 1.2 Tbps of traffic at Dyn. Who’s Dyn you may ask. Only the company which helps manage such major websites as Amazon, Twitter, Etsy and Spotify. For many of the sites’ users across Europe and North America, October 21st must have felt close to the Internet apocalypse, as they weren’t able to access the sites for the best part of a day.
Subsequently, surely the scale of this IoT attack was only made possible due to the skill of the hacker(s), rather than a lack of IoT security standards. Well, in a word, no.
To put it simply, the lack of even basic IoT cyber security was almost inviting an attack such as what we saw on Dyns. It can all be boiled down to an issue which we hear about time and time again when talking about software security; the strength of usernames/passwords.
In its bid to take down its targets, Mirai scours the internet for IoT devices which have little more than paper-thin security protocols, i.e. factory default usernames/passwords. What’s really scary is that even if consumers choose to customize their usernames/passwords, they can’t. This is because the sign on credentials are hardwired into the devices’ firmware, and the tools don’t exist to disable them.
A final twist to this unsavory affair is that shortly after the Dyns attack, Mirai was open sourced. Why? Well maybe Anna-senpai, the Hackforums user who released the code, was feeling the heat of the authorities. For as the user said. “I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO.”
Although, open sourcing Mirai could be good thing, as it will allow manufacturers and consumers to better understand the malware and so combat against it, the consensus in the software community is it will only lead to more IoT attacks. After all, we only need to look what happened when Utku Sen open sourced the Hidden Tear ransomware. Subsequently, don’t you think it’s about time consumers and manufacturers alike started to sit up and pay attention to the need for improved IoT security? I know I do.
To prevent our IoT devices turning against us, there are some practical and actionable measures that manufacturers and consumers can take.
The first order of the day is, if you can, change your default usernames and passwords. Secondly, and perhaps more importantly, instead of manufacturers hardwiring usernames/passwords into devices, they should require users to set up strong passwords (longer than 8 characters, using a combination of caps and numbers etc) when configuring their device.
Without better cybersecurity, maybe this is the IoT future we can look forward to.
Furthermore, users should keep on top of firmware updates and device patches. Additionally, open sourcing smart devices will help to raise IoT security standards. This is because open source is driven by the community, and the community is interested in improving the quality and usability of products, including seeking out and fixing any security issues lurking the code. For as Linus never gets tired of reminding us ‘many eyes make all bugs shallow.’
So, what does all this mean regarding IoT’s future?
Well, if I was a betting man, I’d place money that future attacks will be more violent than simply taking down a few websites, however large they may be.
At the end of the day, the IoT attacks on Dyns and Krebs just demonstrated the capability of IoT malware such as Mirai, rather than putting any lives in real danger. Yet with IoT devices increasingly being hooked into critical infrastructure networks (transport, energy, healthcare etc), this may all be set to change. And with rumors circulating that Mirai knocked an entire country off the internet, this future may be nearer than we all think.