IoT - Early Warnings
In October last year we witnessed a proof of concept DDoS attack that shut down the Internet by taking down the Dyn’s managed DNS infrastructure, causing disruptions for several major websites, including PayPal, Twitter, Reddit, GitHub, Amazon, Netflix and Spotify. The attack took DDoS to a whole new level. The scary part is not the outcome, which in itself was quite impressive, but “how” the attack was carried out. The attack made use of the Mirai malware source code, the same that was used to carry out the DDoS attack to Krebs’ website. Many hypothesis have been put forward as to who was behind such a powerful attack, including state-sponsored (Russia) and WikiLeaks’supporters. It is also believed that the attack may have been the action of young script kiddies, particularly members of the HackForums website, based on the fact the Dyn attack does not appear financially or politically motivated and that the same DDoS infrastructure used in the attack was used to target Sony.
What makes Mirai a landmark malware in the history of IoT-based DDoS, is the fact that Mirai was the first malware for which the source code was made public, which in turn allowed it to be used, modified and reused thus amplifying the exploitation of IoT vulnerabilities. Specifically, Mirai brought to the limelight the state of insecurity in the IoT industry and its exploitation for bad! Mirai worked by exploiting the oldest vulnerability in the game, weak passwords! Until its source code was released however, Mirai had not received the same attention worldwide, despite having played a serious role in both the attack to the Krebs’ site and to the French cloud provider OVH. A few days after Mirai’s source code was released, a new IoT malware began to spread, dubbed Linux/IRCTelnet, written in C++ and exploiting the very same vulnerable IoT device's login credential that had been leaked with Mirai source code.
The publication of Mirai’s source code will surely increase the development of rent-a-botnet services, which have been already so lucrative to cybercriminals and even young script kiddies. Earlier in November, a 19-year-old student from Hertford, UK pled guilty to running one such DDoS-for-hire service, dubbed Titanium Stresser, which had brought the young student an income of more than $505,000 spread across over 500 DDoS attacks carried out over a period of one and a half year!
Up to a year ago, attacks such those that hit Krebs and OVH provider, with respectively 600Gps and 1.2Tbps traffic, were unheard of. Today they are not only a possibility but they have become more mainstream, a bit like when sprinters began running the 100 meters in under 10 seconds. Soon after that became the norm!
It’s time to get used to DDoS attacks of such a scale, with IoT as an established enabler. It is a wake up call for both sides, the attackers and the defenders. The attackers are developing a stronger awareness of the untapped potential of IoT. The defenders must realize it is time to put some defences in place. On the attackers’ side, the indications are that we are in training season, testing and improving the capabilities especially from organized cyber crime and state-sponsored actors . One clear indication was given by the DDoS attack carried out against the small African country of Liberia earlier in November, using another Mirai IoT botnet known as Botnet 14. The attack delivered burst of traffic of 500 Gbps in size targeted at the telecommunication company Lonestar Cell MTN, which provides the Internet to 10-15% of Liberia. If one compares the capacity of underwater fiber cables with the type of traffic that was generated to attack the Dyn’s infrastructure, it is easy to see that scale is the same and while the 1Tb Dyn attack was delivered by recruiting “only” approximately 100,000 IoT devices, one can imagine what can be achieved with a botnet a 1-2 million devices.
Figure from https://manypossibilities.net/african-undersea-cables/
It is then not far fetched to think that future DDoS attacks may take an entire country out or a least leave a good part of it without access to the Internet! Again, we may look at the Dyn attack or the attack to Liberia as training sessions if we consider that, according to estimates by Internet provider Level 3 Communications, Mirai and its predecessor BashLite have infected more than 2 million IoT devices (more than 80 percent of those devices include digital video recorders and routers) and only a fraction of those were used in the attacks.
What the Future Holds
In the words of Bruce Schneier “The market can't fix this because neither the buyer nor the seller cares.. There is no market solution because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.”
Most of the devices used in the recent DDoS attacks where CCTV cameras and DVRs. People’s main criteria when buying those devices is price and functionality. The fact that those devices may have been used in an attack will not affect the functionalities nor the price and users will by and large always reward lower pricing even if it means lower security. Even naming and shaming the vendors of those devices for negligent security will not make a noticeable dent into that vendor’s revenue. If you don’t believe it, try asking any of the people who own the cameras and DVRs used in the attack if they know their device was one of those involved, if they are aware of the attack that is! Or try asking prospective buyers if they know which vendors to avoid because of the IoT vulnerabilities. Therefore neither parties have an incentive to do anything about IoT security. In fact, if anybody tries to name and shame the vendors by simply sharing factual information, he or she is likely to face threat of law suits as Brian Krebs experienced first hand recently. So what can be done?
On the protection side, it is clear that DDoS protection must go high up in the agenda. Given the recent step up in the size of DDoS attacks, one can assume that even those very same vendors and companies offering DDoS protection are not yet ready to provide a scalable solution. One clear example was seen with the DDoS attack to Brian Krebs’ website when Akamai intervened to provide pro-bono support but soon after interrupted the service. One can only assume that Akamai infrastructure was not scaled to provide a pro-bono DDoS protection service against a 600 Gbps attack without affecting its regular customers. And one can only assume that Akamai as well as other providers are beefing up the service offering preparing for the future attacks to come.
The only way we can hope to address the looming threats introduced by poor IoT security is via government regulations, forcing vendors to adhere to some established security standards in the manufacturing of IoT devices, which in turns requires the development and publication of such standards. Being optimistic, we can hope that governments will actually address IoT security in light of the fact that IoT insecurity poses a growing threat to national security. Government could introduce fines to negligent vendors and create the environment that allows victims of an attack that was based on vulnerable IoT devices to take compensatory legal actions against the vendors. On the down side though, anything related to the development of standards and Government regulations is not likely to produce any result in the short term, which in turns means that millions of vulnerable devices will be sold in the meantime. Brace for impact!