Last Friday, two major distributed denial-of-service (DDoS) attacks on Dyn’s Managed DNS infrastructure brought down the websites of over 80 internet giants, including Amazon, PayPal, and Twitter. The sophisticated attack involved tens of millions of IP addresses. Many of these addresses were associated with the open source Mirai botnet. The attack leveraged Internet of Things (IoT) devices by breaking into home security cameras and other items with minimal (if any) security features. They became an army of malware-infected devices waging an all-out assault on Dyn’s servers, successfully bringing them down for three hours.
This is a perfect example of how the IoT space is lagging behind the personal computer and mobile device industries in addressing security as a fundamental design input. This event is reminiscent of what was happening 15 years ago with PCs, and more recently with mobile devices. According to Synopsys principal security consultant Dan Lyon, “IoT devices are different because people don’t think of them as traditional computers. They aren’t maintained in the same fashion.”
People tend not to regularly update their webcams and DVRs as they may regularly update their computers. As of now, these devices don’t prompt users to update them. They’re simply plugged in and forgotten about until they stop working for one reason or another. “They can last for years, which means that known vulnerabilities are available for extended periods of time,” explains Lyon.
Typically, services rely on technologies like Akamai or Cloudflare for absorbing and mitigating the volume of traffic an attacker might send. “These types of services are generally effective when addressing traffic flooding and Denial of Service attacks,” Travis Biehn, Synopsys technical strategist, says about Friday’s attack. “However, they don’t cover attacks against DNS—the index service itself. By targeting the shared index services of prominent companies, attackers can get more value out of their attacks. They have a large area of impact by targeting this choke-point.”
Botnets are nothing new. However, botnets targeting IoT devices are new and they’re becoming popular. For example, Lizard Squad used one of the first IoT-based botnets for their campaigns earlier this year.
“Source code for an IoT worm and DDoS platform [Mirai] was released, placing this capability into the hands of a much larger group of potential hackers,” Biehn explains. “While the security industry has observed sophisticated attackers using vulnerable IoT devices for establishing footholds into internal networks (and some attackers using them to mine cryptocurrency), the use of IoT as a DDoS platform signals that a wider, less sophisticated group of attackers are starting to learn how to take advantage of this platform.”
From an organizational perspective, a major concern involves time to market. In a rush to get a device on the market before competitors, we’re seeing an increasingly widespread “if it compiles, ship it” mindset. Until recently, this process has worked smoothly enough. “This is because the field has been surviving in a protective bubble of obscurity and network isolation,” according to Larry Trowell, Synopsys senior security consultant. “This bubble has been protecting firms from the immediate need to worry about hardware and software security. However, as more and more embedded devices connect to internal and external networks, we’re seeing the bubble burst.”
Organizations can take some simple measures in the short-term to mitigate risk against DNS infrastructure. “Namely, apply the redundancy and distribution of Web servers to DNS” according to Biehn. “Instead of relying on one DNS provider, distribute DNS servers both geographically and across providers. Additionally, employ technologies like DNSSEC to mitigate increased attack surfaces for spoofing attacks.”
DNS providers can help mitigate the role they play as single points of failure. They can do this by working with Internet providers to establish a private backbone for DNS. This way, even if the servers they own are targeted by attackers, a majority of end users can still gain access through the Internet provider’s infrastructure.
—Travis Biehn, Synopsys technical strategist
Examining short-term fixes for IoT devices are trickier. There are IoT devices on the market that have no firmware updates covering vulnerabilities that are, in some cases, years old. Some don’t even have the ability to be updated at all. “For now, the best bet is to isolate these systems with strict internal network rules and limit conductivity to the bare minimum,” Trowell recommends. “However, if credentials can’t be revoked or changed, remove them from the network if possible.”
“DNS is long overdue for an overhaul, and thus far has only seen small, incremental changes,” according to Biehn. “A number of attractive competing technologies are available to provide distributed registries of information. It’s time to create a plan for what DNS could look like in the future.”
Gartner predicts that IoT devices should outnumber the number of people on the planet by 2017. As such, these devices will continue to be a popular target for attackers.
Device manufacturers should, first and foremost, provide a mechanism for updating the software running on their devices that will respond to events such as Friday’s attack. It’s also critical for these firms to invest in software security initiatives that can reduce the risk presented by IoT devices. “It’s a race with attackers’ increasing sophistication. Manufacturers need to quickly come up to speed to improve the security of their devices. Additionally, they must do so before attackers learn how to carry out more creative attacks,” states Biehn. “A great deal of work has been done, thinking about the necessary controls to address IoT risk. However, it remains to be seen if these efforts will succeed.”
The attack that took place last week opened an entirely new battlefront in cyber security. “This attack is illustrative of the problem with connected devices, specifically the ability to infiltrate, corrupt, and subsequently use these devices for malicious activity,” Jim Ivers, Synopsys Software Integrity senior director of marketing observes.
Device manufacturers need to understand that building security into these devices is a set of activities and processes that need to be included throughout the development process. The Building Security In Maturity Model (BSIMM) explores what real organizations around the world are doing to build security into their products. This study is an excellent way to start thinking about how to inject security into IoT devices around the globe.