This past weekend, the U.S. Internet slowed to a crawl thanks to a distributed denial of service attack, or DDOS. It was an interesting attack for two reasons. First, the attackers — whoever they are — did not flood a single website with junk requests, as is the usual MO for DDOS attacks. Instead, they went after DNS provider Dyn, which caused numerous websites to slow to a crawl or cease operations entirely. Warnings about the over-centralization of DNS infrastructure suddenly became very interesting.
The second, and more important point, is that a sizable chunk of the devices involved in the DDoS attack were so-called smart Internet of Things devices. Usually, attackers spread malware through computers that will then follow the attacker’s command and simultaneously request information from websites until the site buckles under the load. But this time, the shambling digital zombie hoard included security cameras and wireless routers.
The teapot did it
At the heart of the attack was Mirai, which is not a particularly exotic piece of malware. It scans for devices connected to the web for what appear to be Linux-powered IoT devices, apparently favoring security cameras and home routers from Hangzhou Xiongmai Technology. It then looks up the default passcode on a table and logs in. Once inside, it hands over control of the device to a central command and control server.
While this attack was shocking in what it accomplished, it’s unfortunately nothing we didn’t see coming. At the Black Hat conference in 2013, Craig Heffner demonstrated the ability to easily take over network connected security cameras. His demonstration included big-name companies you’d recognize, including D-Link, Linksys, Cisco, IQInvision and 3SVision. When asked what devices were vulnerable to attack, he said he hadn’t found a brand that couldn’t be controlled.
For his demo, Heffner tricked the camera into displaying a looping video, like in a heist movie. But the actual substance of his talk was far more dire. IoT devices like security cameras, tea kettles, fridges and yes, even wireless routers are just tiny computers connected to the internet. If attackers want to target a person or a company specifically, he said, they can attack these poorly defended devices and use them as a beach head to explore the rest of the victim’s network. And because they are tiny computers, they can conceivably be coaxed into executing whatever code the attacker desires.
Think of it this way: you can buy the strongest doors with the best unpickable locks to protect your house, but a thief can still break in through the windows.
IoT is different
In the security industry, we like to blame people, not computers. If people had been more alert, they might have caught the Heartbleed bug before it was even introduced. A popular saying is that the biggest point of failure in any security system is between the computer and the chair. Case in point: the hack of Hillary Clinton campaign chair John Podesta’s Gmail account — which introduced us to his risotto recipe, among other things — apparently began with a phishing scam.
But in the case of IoT security, consumers cannot be held accountable in the same way. As a car owner, for example, you are required to use caution while driving and provide reasonable maintenance. The car company, in turn, is required to provide you a product that will not actually kill you.
As our society changed, so did the expectations of consumers. Consumer advocates point out that some cars were “unsafe at any speed.” And like an evolving creature, cars sprouted new appendages: seat belts, airbags and less obvious features like crumple zones and specially engineered materials designed to keep consumers reasonably safe in a changing world.
The same is true for consumer technology. The proliferation of malicious software, and the dangers presented to any device that merely connects to the internet, have pushed manufacturers to take a more active role in protecting consumers. Windows, for example, now ships with antivirus installed and maintained by Microsoft. The company also issues patches on a regular basis, because the challenges facing consumers are too complex for them to deal with on their own.
When smartphones began to take off, manufacturers and developers learned from the trials of the PC years. While mobile security has had some bumps along the way, it’s been a cakewalk compared to the history of the PC. We haven’t had that kind of widespread infection on smartphones that we saw with Conficker, and hopefully we never will.
The history of IoT charted a different course, perhaps one that used a goldfish as a navigator. Instead of controlling access to the device, and employing best practices learned from connecting billions of computers and phones over the course of decades, manufacturers rushed cheap products to market. Ones that were designed, in some cases, to never be serviced, upgraded or patched. And even if problems could be addressed, it is, arguably, not reasonable to expect individuals to treat labor-saving devices the same way they do computers. The vast majority of consumers assume, and rightly so, that if a device does not have a screen or some kind of input method, it is not intended to be serviced by them.
This didn’t have to happen
The most frustrating part of the recent DDoS attack is that IoT manufacturers only needed to look at 30 years of consumer technology to see the proverbial writing on the wall. And if they couldn’t do that, they could have heeded the warnings spouted by security researchers (corporate and hobbyist hacker alike). These people have told anyone who would listen how putting billions more devices on the internet without careful consideration of how they will be used is a bad idea. In 2014, Dan Geer opened the Black Hat conference by saying that the IoT is already upon us and could lead to trouble.
Despite my best efforts to remain cynical, IoT feels inevitable and compelling. Sci-fi has promised us talking computers and futuristic appliances for decades, and maybe that’s why the prediction by Gartner that there will be 6.4 billion devices connected to the internet by 2020 sound feasible. These devices are already in our homes: streaming boxes, gaming consoles, wireless routers. In the eyes of attackers and automated attacks, these are just more IP addresses to exploit.
As we hurtle towards the holidays and lurch forward into a new generation of IoT devices, let’s put security that is designed to be understood by users at the forefront. If by 2020 the best advice I still have to offer people is to disconnect their smart devices, then this industry does not deserve its reputation for innovation or even intelligence.