The success of the recent Mirai botnet attacks opens the door for similar DDoS threats that take advantage of unsecured Internet of Things devices.
The recent distributed denial of service attacks that affected large parts of the internet, along with major online outfits such as Twitter and Netflix, was an eye-opener for those who may not have been familiar with this type of threat. It was also a vindication of sorts for the government’s cybersecurity focus.
Despite the obvious dangers posed by criminals and state-sponsored advanced persistent threats (APTs) that trawl government systems for specific data, DDoS attacks are consistently seen as the biggest potential threat. So much so that the Department of Homeland Security has been spending serious money to develop defenses against it.
That attention seems warranted. The October attack again DNS provider Dyn using the Mirai botnet has raised the stakes significantly, at least in technical terms. Up to 100,000 bots were eventually involved, with the attack volume eventually thought to have exceeded 1 terabit/sec .
That’s a huge number, and a DDoS attack at that level will overwhelm most defenses now in place, simply because they can’t keep up with the deluge that’s flooding them. Mean time to failure of any compromised Internet of Things device -- the means of attack targeted by the Mirai botnet -- is just 10 minutes. You can’t just turn devices off and on again as a way of mitigating attacks.
The IoT, in other words, is a potential mother lode for cyber bad guys. It’s seen as having a tremendous potential to wring value out of assets through improved supply chains and logistics operations. It could mean as much as $1.9 trillion dollars in added value, which is a huge attraction for device manufacturers.
Unfortunately, security so far hasn’t kept up with demand. Two years ago, the SANS Institute detailed the vulnerabilities of digital video recorders as internet-connected devices. Revisiting the situation after the Mirai attack, it found not much has changed.
The ways the IoT can be attacked seem to be endless. One organization has described how Philips smart streetlights can be used to spread worms that result in so-called “bricking” attacks that can shut down the lighting in large areas of a city. Think of the havoc such blackouts can cause. Others have shown that even everyday devices such as smart toasters can be hijacked.
It didn’t take long after the Mirai attack for similar threats to surface. Linux/IRCTelnet malware (based on Aidra botnet) apparently has the same roots as Mirai and also borrows from other botnets. It has the same abilities to attack weak telnet credentials, but can also attack systems running much newer protocols such as IPv6. There are also warnings that new attack vectors such as Lightweight Directory Access Protocol could be used to launch terabit-scale DDoS attacks.
Just as the original Stuxnet attack was seen as the progenitor of much of the sophisticated APT malware industry that’s been built up over the past few years, it’s all but inevitable that the recent success of Mirai will stimulate similar development of DDoS threats.
To counter that, it’s critical that better and more capable tools are developed. Organizations such as DHS are ahead of the game, and after the recent attacks Congress has been stirred to action. Sen. Mark Warner (D-Va.), co-founder of the Senate Cybersecurity Caucus, asked the Federal Communications Commission, the Federal Trade Commission and the DHS’s National Cybersecurity & Communications Integration Center for information on current and future tools that will be needed to bolster IoT security.
DHS is apparently going further by developing a set of strategic principles that will set out security guidelines for connected devices, and calling for manufacturers to integrate more security into their devices. It will be interesting to see how manufacturers react to this, given the tradeoffs behind improving device security and getting devices quickly to market to meet the burgeoning IoT demand.
The chip industry is also getting involved. Much as the Trusted Computing Platform has enabled widespread chip-based security for laptops and other computing devices, so companies such as ARM and Microchip (teaming with Amazon) are looking to provide processor-based security for IoT devices.
All of that will take some time to make its way into the IoT mainstream however. Meanwhile, there are practices organizations can follow now that could lessen the effects of a DDoS attack, such as building up infrastructure resilience and replacing obvious network credentials for devices. The factory default “admin-password,” for example, was just one of the things Mirai looked for.
NEXT STORY: What it takes to review 650,000 emails