Clear and Present Danger: The IoT DDoS Threat
Mon 14 Nov 2016
Alex Henthorn-Iwane of Kentik contemplates the crossover point between Hollywood sensationalism and real world experience, as it applies to the security – or lack thereof – of IoT devices…
I was a pretty big fan of Tom Clancy spy novels. Of course, like all fiction novels, you have to suspend your disbelief. One of my favorite novels was The Sum of All Fears, featuring a storyline in which a jettisoned Israeli nuclear weapon – which was somehow never the subject of a recovery attempt – is allowed to ultimately get smuggled into the U.S. and detonated at the Superbowl. In Denver.
When you put it like that, it just seems so far-fetched. The level of negligence required to make that plot plausible is really astounding.
However, the internet has managed a similar feat in the real world. Consider that somehow we’ve allowed a nearly “nuclear” level of power to be smuggled into the digital economy through years of negligence. In this plot, millions of IoT devices were shipped worldwide with hard-coded security vulnerabilities, seemingly tailor-made to be exploited by bad actors, and now manifest in the news as a dark army of botnet hordes unleashing massive attacks on the critical junctures of our online economy.
Tom Clancy would have been proud to write this story. Sadly, we are living it.
Stranger than fiction
For those who don’t zealously follow cyber-attack news, a clarion wake-up call to the IoT botnet threat sounded on Friday, October 21st, when a massive distributed denial of service (DDoS) attack was leveled against Dyn, a provider of managed Domain Name Service (DNS) services.
DNS is the function on the internet that translates human-readable website names like amazon.com into machine-readable numerical internet addresses. Pummeled by several hundred Gigabits per second of traffic, the Dyn service went down multiple times.
This in turn essentially turned off access for millions of users to brand-name websites like Twitter, Spotify, PayPal, GitHub, CNN and the New York Times. Aside from the inconvenience, tens if not hundreds of millions of dollars of e-commerce transactions were disrupted.
Subsequent analyses revealed that at least 100,000 compromised IoT devices – many of them net-connected DVRs linked to security cams – were part of the attacking botnet. Was this a brand new, never-before-seen, sinister exploit that took experts by surprise? Hardly; and that’s what makes this as much a tale of human negligence as of hacker ingenuity.
Security and network experts have known, tracked and warned about the IoT botnet threat for years. And worse, the root cause is, in some sense, so stupefyingly dumb that it belongs in pulp fiction.
Let’s tell the IoT botnet story, spy novel style.
A storm brewing
The internet is stable and pumping billions of dollars in commerce every day. The head of a major corporation signs a multi-million dollar deal to move the company’s super-profitable, multi-billion dollar a year e-commerce website to “the cloud” – a collection of massive data centers maintained in cyberspace by the leading online company – let’s call that company ‘Micrazon’.
When he pauses to ask the sales executives gathered in his conference room if the site is safe against attack, they assure him that they are completely redundant and partner with all the best service providers; that there’s nothing to worry about. He signs and they go out to a steak dinner, followed by a drunken escapade that is captured on smartphones for leverage by the sales team.
An italicized, cryptic-seeming online burst of communications starts between several parties in a hacker forum, where someone with an anime-hero-sounding avatar starts sharing details of a new exploit with her associates…
Meanwhile, in Silicon Valley, Tel Aviv and Shenzhen, three separate corporate R&D teams race to innovate and seize the lead in the next online gold rush. Their secret? IoT devices – so called because consumers and businesses believe in the goodness of the internet and trust it implicitly.
Therefore, these teams (and hundreds like them around the world) know that consumers are now ready to attach normal, everyday “things” like light bulbs, door locks, cars, refrigerators and security cams to the internet for the convenience of instant communications and cloud-based monitoring hosted – coincidentally – by Micrazon (I know, I know but roll with it).
At the Silicon Valley startup, a lone security engineer runs breathlessly between cubicles to a critical planning meeting with a dire warning: the software about to be released in millions of devices has a fatal flaw that opens the devices to becoming colonized into massive botnets by criminals and, worse, nation-state actors.
That fatal flaw? The innocent-seeming default username and password: admin, admin. He warns in no uncertain terms that if left exploitable, the company’s devices could become the fodder for an economically crippling cyber-attack.
Marketing stares him down and puts him in his place, saying that unless the devices are user-friendly, nobody will buy them. That, and every other manufacturer is doing things this way. But he’s overruled, and the devices start rolling off the lines, through stores and into millions of homes and businesses.
The hacker forum dialogue picks up where we read that they’re reporting initial success – “We’ve colonized the first thousand.” “How many by next month?” “Ten thousand, easy.” “When we reach a million, we strike.” “What should we call our malware?” “Let’s call it Mirai…“
The quiet army
A short snippet is inserted about a former Delta Force/CIA agent, now improbably retired from ‘the game’, and a small business owner, who installs a new security cam and accompanying DVR. He’s the only person on the planet to change his username and password, and he also enables a super-sophisticated, home-coded, white hat, magical cyber-debugging device that couldn’t possibly exist and that leverages a backdoor into…wait for it…Micrazon.
The security engineer is beyond frustrated, considers quitting, but decides to contact peers, write blogs, speak at conferences on his findings about ‘Mirai’, ‘bashlite’ and other competing botnet-herding malware that are exploiting known username/password vulnerabilities that are being universally shipped by manufacturers – one where the vulnerable credentials can’t even be changed because they’re hard-coded!
Plenty of peers agree with him, but nobody with any power seems to listen.
At a later conference, a researcher announces a startling finding: IoT botnets have now colonized a million devices.
The corporate CEO from the beginning of the novel is enjoying a nice holiday with his family somewhere tropical with barely any connectivity, when he’s called on a spotty mobile phone connection by a panicking lieutenant with news: the e-commerce site is totally down, has been for hours, and losses are racking up so high that the company’s upcoming earnings report will be materially affected.
We’ve essentially littered the digital economy with weapons that can all be aimed remotely in concert against us
He loses the connection and tries to dial out to reach his board, but his mobile connection is disrupted by the same massive, global DDoS attack that took down the website, because the mobile provider hosts its key gateway servers in Micrazon, and Micrazon is out of service because a vulnerable, non-redundant component is under withering attack from “Zigabits” of DDoS traffic. He collapses with a massive heart attack and the scene fades as his wife screams for help.
This is the point at which the security engineer, who conveniently met the former CIA agent at one of those conferences, makes contact and the hero action music starts playing and the good guys start typing really, really fast.
Ex-CIA guy magically can both detect exactly who and where the attackers are, access and rapidly troubleshoot the insides of Micrazon – even though that multi-billion-dollar web company’s crack team can’t figure things out.
He can also leverage his old CIA buddies to effect a lightning-quick Seal Team 6 raid on seven different locations across the globe within 6.41 hours, and before the stock market comes unglued the next morning and western civilization collapses.
The day is saved, and the president issues an executive order to have the CIA backwards-compile fixes for the jillions of already sold IoT devices across the planet. The hackers are in a hidden jail cell underneath the surface of the moon, literally cut off from any possible internet signal. (Okay, so I went a little far with that last one)
Seem far-fetched? The thing is, the security aspect of this fable is true. All those IoT devices *have* been shipped with default credentials that were tailor-made to be exploited, and they have been compromised by the millions by Mirai, bashlite and other malware that use dictionaries of brain-dead username/password combos to login and take over.
But there’s no magical fix. Ironically the Online Trust Association recently said that the Dyn DDoS attack could have been easily avoided if IoT devices had been shipped with a non-numbskull level of security. Oops.
So, we’ve essentially littered the digital economy with weapons that can all be aimed remotely in concert against us. Congratulations, internet, on achieving a Clancy-like narrative – and welcome to the age of IoT botnets. It’s nearly a certainty that we’ll see more of these mega attacks. After all, IoT botnets launched multiple other attacks as big, or bigger than the Dyn attack in October of this year alone.
What’s to be done? At this point, the real decision lies in the lap of industry, unless it wants to wait for things to get so bad that politicians jump in, which might create a highly sub-optimal “solution”.
Creating a highly visible consumer standard that vouches for the cyber-security of IoT devices could help. And, internet providers can deal with easily corrected poor practices that allow hackers to communicate with fake internet addresses and thereby maintain anonymity.
There’s no magic fix, but there are practical steps available to respond to this clear and present danger. Time to take this ridiculous plot in a new and more positive direction.