Cerf’s nightmare scenario hasn’t happened, yet. But in 2016 thousands of compromised surveillance cameras and DVRs were used in a DDoS attack against domain name server provider Dyn to take down major websites on the East Coast of the United States. It was a massive Internet outage and, for many, a true wake-up call.
At approximately 7:00 a.m. on October 21, Dyn was hit by a DDoS attack, and it quickly became clear that this attack was different from the DDoS attacks the company had seen before.
It was targeting all of Dyn’s 18 data centers throughout the world, disrupting tens of millions of Internet Protocol (IP) addresses, and resulting in outages to millions of brand-name Internet services, including Twitter, Amazon, Spotify, and Netflix.
Two hours later, Dyn’s Network Operations Center (NOC) team mitigated the attack and restored service to its customers.
“Unfortunately, during that time, Internet users directed to Dyn servers on the East Coast of the United States were unable to reach some of our customers’ sites, including some of the marquee brands of the Internet,” Dyn Chief Strategy Officer Kyle York wrote in a statement for the company.
A second attack then hit Dyn several hours later. Dyn mitigated the attack in just over an hour, and some customers experienced extended latency delays during that time. A third wave of attacks hit Dyn, but it successfully mitigated the attack without affecting customers.
“Dyn’s operations and security teams initiated our mitigation and customer communications process through our incident management system,” York explained. “We practice and prepare for scenarios like this on a regular basis, and we run constantly evolving playbooks and work with mitigation partners to address scenarios like this.”
The attacks caused an estimated lost revenue and sales of up to $110 million, according to a letter by U.S. Representative Bennie G. Thompson (D-MS) sent to former U.S. Department of Homeland Security (DHS) Secretary Jeh Johnson.
“While DDoS attacks are not uncommon, these attacks were unprecedented not only insofar as they appear to have been executed through malware exploiting tens of thousands of Internet of Things (IoT) devices, but also because they were carried out against a firm that provides services that, by all accounts, are essential to the operation of the Internet,” the letter explained.
These devices were part of the Mirai botnet, which is made up of at least 500,000 IoT devices, including DVRs and surveillance cameras, that are known to be in China, Hong Kong, Macau, Vietnam, Taiwan, South Korea, Thailand, Indonesia, Brazil, and Spain, among other nations.
The botnet, which was created in 2016, has been used to conduct high-profile, high-impact DDoS attacks, including the attack on security researcher Brian Krebs’ website, Krebs on Security—one of the largest DDoS attacks known to date.
“Mirai serves as the basis of an ongoing DDoS-for-hire…service, which allows attackers to launch DDoS attacks against the targets of their choice in exchange for monetary compensation, generally in the form of Bitcoin payments,” according to Arbor Networks’s Security Engineering and Response Team (ASERT) threat intelligence report on Mirai. “While the original Mirai botnet is still in active use as of this writing, multiple threat actors have been observed customizing and improving the attack capabilities of the original botnet code, and additional Mirai-based DDoS botnets have been observed in the wild.”
This is because shortly after the Dyn attack, Mirai’s source code was published on the Internet, and “everyone and their dog tried to get their hands on it and run it in some form or another,” says Javvad Malik, a security advocate at AlienVault, a cybersecurity management provider.
Mirai is “out there and the problem is, there isn’t any easy mitigation against it,” Malik explains. “A camera or a webcam, there’s no real, easy way to patch it or update it, or there’s no non-technical way your average user could patch it. And most users aren’t even aware that their device was part of the attack.”
There are more than 25 billion connected devices in use worldwide now, and that amount is expected to increase to 50 billion by 2020 as consumer goods companies, auto manufacturers, healthcare providers, and other businesses invest in IoT devices, according to the U.S. Federal Trade Commission.
But many of the devices already on the market are not designed with security in mind. Many do not allow consumers to change default passwords on the devices or patch them to prevent vulnerabilities.
The Mirai botnet—and others like it—take advantage of these insecurities in IoT devices. Mirai constantly scans devices for vulnerabilities and then introduces malware to compromise them. Once compromised, those devices scan others and the cycle continues. These devices can then be used by an attacker to launch DDoS attacks, like the one on Dyn.
Some manufacturers have sought to remedy vulnerabilities in their devices by issuing voluntary recalls when they discover that they’ve been used in a botnet attack. But for many other manufacturers, there’s not enough incentive to address the problem and most consumers are unaware of the issue, says Gary Sockrider, principal security technologist at Arbor Networks.
“Consumers are largely unaware. Their devices may be compromised and taking part in a botnet, and most consumers are completely oblivious to that,” he explains. “They don’t even know how to go about checking to see if they have a problem, nor do they have a lot of motivation unless it’s affecting their Internet connection.”
DHS and the U.S. National Institute of Standards and Technology (NIST) both recently released guidance on developing IoT devices and systems with security built in. In fact, NIST accelerated the release of its guidance—Special Publication 800-160—in response to the Dyn attack.
But some experts say more than guidance is needed. Instead, they say that regulations are needed to require IoT devices to allow default passwords to be changed, to be patchable, and to have support from their manufacturers through a designated end-of-life time period.
“The market can’t fix this,” said Bruce Schneier, fellow of the Berkman Klein Center at Harvard University, in a congressional hearing on the Dyn attack. “The buyer and seller don’t care…so I argue that government needs to get involved. That this is a market failure. And what I need are some good regulations.”
However, regulations may not solve the problem. If the United States, for instance, issues regulations, they would apply only to future devices that are made and sold in the United States. And regulations can have other impacts, Sockrider cautions.
“It’s difficult to craft legislation that can foresee potential problems or vulnerabilities,” he explains. “If you make it vague enough, it’s hard to enforce compliance. And if you make it too specific, then it may not have the desired effect.”
Regulations can also drive up cost and hinder development if they are not designed to foster innovation. “Compliance does not equal security, necessarily,” Sockrider says. “Part of compliance may mean doing things to secure your products and services and networks, but there could always be vulnerabilities that aren’t covered…. You’ve got to be careful that you’re covering beyond just compliance and getting to true security as much as possible.”
So, what steps should organizations take in the meantime to reduce the risk of their devices being compromised and used to launch attacks on innocent parties?
If a company already has IoT devices, such as security cameras or access control card readers, in its facilities, the first step is segmentation, says Morey Haber, vice president of technology for security vendor BeyondTrust.
“Get them off your main network,” he adds. “Keep them on a completely isolated network and control access to them; that’s the best recourse.”
If the organization can’t do that and it’s in a highly regulated environment, such as a financial firm subject to PCI compliance, it should replace the devices and reinstall them on a segmented network, Haber says.
Organizations should also change all default user accounts and passwords for IoT devices, Sockrider says. “Disable them if possible. If you can’t, then change them. If you can’t change them, then block them.”
For organizations that are looking to install IoT devices, Haber says they should plan to install them on a segmented network and ask integrators about the security of the devices.
Sample questions include: Do they maintain a service level agreement for critical vulnerabilities? What is the lifespan of the device? How often will patches be released?
“And the last thing that becomes even more critical: What is the procedure for updating?” Haber says. “Because if you have to physically go to each one and stick an SD card in with a binary to do the upload, that’s unfeasible if you’re buying thousands of cameras to distribute to your retail stores worldwide. There’s no way of doing that.”
Organizations should also look at their policies around allowing employees to bring in their own devices to the workplace and allowing them to connect to the network.
For instance, employers should be wary when an employee who brings in a new toaster connects it to the company Wi-Fi without anyone else’s knowledge. “That type of Shadow IT using IoT devices is where the high risk comes from,” Haber explains.
And organizations should also look to see what they can do to block inside traffic from their network getting out.
“Think about it in the reverse; normally we’re trying to keep bad stuff out of our network, but in this case, we want to keep the bad stuff from leaving our network,” Sockrider says. “Because in this case, if an IoT device on your network is compromised, it’s not necessarily trying to attack you, it’s trying to attack someone else and you can be a good citizen by blocking that outbound traffic and preventing it from doing so.”
While companies can take steps to reduce the likelihood that their devices will be compromised by a botnet and used to attack others, attacks—like the Dyn attack—are likely to continue, Malik says.
“We’ll probably only see more creative ways of these attacks going forward,” he explains. “At the moment, it’s primarily the webcams and DVRs, but you’re probably going to see different attacks that are more tailored towards specific devices and maybe even a change of tactics. Instead of going after Dyn…taking down a smaller competitor.”
Malik also says he anticipates that cyber criminals will conduct these more creative attacks through purchasing DDoS as a service, a growing industry over the past few years.
“Some providers are just as good, if not better than, professional legitimate services,” Malik says. “It’s very easy; they offer support. You just go there, you click buy, send the Bitcoins, enter your target, and job done. You don’t even need any technical expertise to do this. It’s very, very convenient.”