IoT Vulnerabilities: Some Thoughts on the Dyn DDoS Attack and Resulting Site Outages
Unless you've been on a desert island for the past few days you've heard by now of the massive Distributed Denial of Service attack that brought many of the Internet's most heavily trafficked sites to their knees last Friday, October 21st. If you're catching up, these articles from Tech Republic and Gizmodo provide good overviews of what we know about the attacks so far, and why DNS infrastructure is so vulnerable - and getting more vulnerable all the time.
The main things to know is that the growing proliferation of cheap, connected Internet of Things devices - webcams, wifi speakers, wearables, the list goes on and on - is making it far easier for cybercriminals to launch massive DDoS attacks. Why? Because many of these devices are shipped with default usernames and passwords, which are never changed by the end user, and so are easily taken over. Earlier in October, the Mirai botnet malware was made public, and it evidently played a role in the Dyn hack. I'll have more to say on IoT vulnerabilities in the future, but some initial thoughts on what we saw last week:
- IoT based attacks are not new and the security vulnerabilities of many devices are well known - the speed and scale of this recent attack will hopefully refocus attention to the identity and security aspects of many device-based deployments for both manufacturers and third party service providers.
- Devices themselves need a baseline set of security principles - no hard coded user names or passwords, transport layer security where possible, update-able firmware (many devices are never updated) and with any computer deployment, have all non-necessary services and ports disabled. With respect to manually accessing the device, default passwords should be changeable upon initial use, with all root or high level administration accounts disabled.
- When it comes to devices accessing a trusted back-end cloud service, the device should receive its credentials, perhaps in the form of a "pin and pair" style relationship with the device owner, using authorization standards such as OAuth2 to receive short-lived access tokens. This can allow for a simple pairing and revocation process, to protect access to the cloud service and the owner's personal information.
IoT vulnerabilities are real, and as botnet based attacks become more frequent individuals and manufacturers need to be aware of the basic attack vectors that exist. In a typical DDoS or botnet style attack, the victim is often not the owner and, in fact, they may not even be aware their device has been exploited by cyber criminals. Yet, as we saw last week, the consequences can be extensive. Manufacturers need to take the necessary steps to protect against these types of attacks which can also be devastating for their brand.