IoT Vulnerabilities: Some Thoughts on the Dyn DDoS Attack and Resulting Site Outages

Unless you've been on a desert island for the past few days you've heard by now of the massive Distributed Denial of Service attack that brought many of the Internet's most heavily trafficked sites to their knees last Friday, October 21st. If you're catching up, these articles from Tech Republic and Gizmodo provide good overviews of what we know about the attacks so far, and why DNS infrastructure is so vulnerable - and getting more vulnerable all the time.

The main things to know is that the growing proliferation of cheap, connected Internet of Things devices - webcams, wifi speakers, wearables, the list goes on and on - is making it far easier for cybercriminals to launch massive DDoS attacks. Why? Because many of these devices are shipped with default usernames and passwords, which are never changed by the end user, and so are easily taken over. Earlier in October, the Mirai botnet malware was made public, and it evidently played a role in the Dyn hack. I'll have more to say on IoT vulnerabilities in the future, but some initial thoughts on what we saw last week:

  • IoT based attacks are not new and the security vulnerabilities of many devices are well known - the speed and scale of this recent attack will hopefully refocus attention to the identity and security aspects of many device-based deployments for both manufacturers and third party service providers.
  • Devices themselves need a baseline set of security principles - no hard coded user names or passwords, transport layer security where possible, update-able firmware (many devices are never updated) and with any computer deployment, have all non-necessary services and ports disabled. With respect to manually accessing the device, default passwords should be changeable upon initial use, with all root or high level administration accounts disabled.
  • When it comes to devices accessing a trusted back-end cloud service, the device should receive its credentials, perhaps in the form of a "pin and pair" style relationship with the device owner, using authorization standards such as OAuth2 to receive short-lived access tokens. This can allow for a simple pairing and revocation process, to protect access to the cloud service and the owner's personal information.

IoT vulnerabilities are real, and as botnet based attacks become more frequent individuals and manufacturers need to be aware of the basic attack vectors that exist. In a typical DDoS or botnet style attack, the victim is often not the owner and, in fact, they may not even be aware their device has been exploited by cyber criminals. Yet, as we saw last week, the consequences can be extensive. Manufacturers need to take the necessary steps to protect against these types of attacks which can also be devastating for their brand. 

Learn more about how identity can help you to secure the IoT.

Who Is Simon Moffatt?

Who’s Simon? Simon is a technical product dude here at ForgeRock. He has 16 years working in the identity game at companies like Oracle, Sun Microsystems, and Vaau. At ForgeRock, he helps to design new products - specifically in the Access Management space. Not only is he ambidextrous, but he can design with both hands...oh wait.

Recent Posts:

Zero Trust and Identity: Evolving from Castles to Cities

The common analogy for protecting computer networks has typically been that of the castle, complete with big walls and surrounding moat. Though this is a good one, the growth and innovation in security technology, including the Zero Trust Model, add complexities.

Augment Your Legacy IAM

Have you ever run into a situation where you know exactly what you have to do to solve the problem but can’t do it?

Modernize IAM for Government: A Real World Example

I recently had the chance to do a podcast with my friend and colleague Tommy Cathey, ForgeRock RVP of Public Sector. Tommy and I have worked together for years, and I am thrilled that he is bringing his deep public sector knowledge to ForgeRock (and this podcast).