Tuesday, November 8, 2016
October 21 2016; a day that shall live in IoT infamy
Thats a provocative headline but the widespread DDoS attack that took place on October 21st came from unprotected IoT devices and that's a security game changer for the world of IoT.
If you are reading this then you are probably well aware of the internet outages that day but just in case it was a classic distributed denial of service (DDoS) attack on a key DNS provider called Dyn. This is what the web looked like on Oct 21, red is bad:
A depiction of the outages caused by today’s attacks on Dyn, an Internet infrastructure company. Source: Downdetector.com.
DDoS attacks aren't new, for years, hackers have routinely infected millions of PCs with malware and created Botnets they can activate to attack websites, service providers and infrastructure companies but this time they corralled up to a million IoT devices. This IoT Botnet used code called Mirai which had infected security cameras, DVRs, printers and routers running a common form of embedded Linux (dubbed "the Swiss Army knife of embedded Linux" I did not make this up!). Much has been written about this attack by experts so I won't dig in deep but please think about subscribing to my former colleague, Dave Strom's Inside Security newsletter to get the scoop.
My larger point is that all the devices which were compromised had two things in common; they were consumer devices built on tight profit margins (hence the free/open source code) and the designers "hoped" that users would change the default password on the device when they were installed. So here we have have two failings of human beings (not technology); building cheap products and assuming end users understand technology and how to protect their own security. Couldn't see that coming.
So why is this fiasco such a tipping point in IoT history? Well first of all we all now know it can happen and affect a lot of other people who are going to take action, second, there is now no excuse for device designers not to take security seriously, even if they have a tight budget.
Just to show that this isn't wishful thinking on my part I have seen evidence of this in September when we (I was at AspenCore at that time) asked embedded/IoT hardware designers what their major concerns were right now and for the first time we saw Security as #1. Although one cautionary note is that "Cost" was #2 and very close.
So here is my closing thought, IoT security is on everyone's mind now and free software combined with asking users to change their passwords may not be the best choice for securing devices in a world of constant cyber attacks. More on this in my next blog and feel free to comment and share.