Back in the latter half of 2016, the website of a security advisor, Brian Krebbs, came under an extreme DDoS (distributed denial of service) attack. His website was was subsequently taken offline after receiving 620-665Gbps (Gigabits per second) of malicious traffic. This was, at the time, the largest attack ever witnessed and was thought to be in retaliation for for his then research on DDoS gangs.
Akamai, as his service provider, fought for 3 days to mitigate the attack, after which they indicated that although successful, the continued attack was just becoming too costly for them. As Krebbs was a pro-bono customer, they informed him that they were no longer in a position to support him. After sink-holing his website at his request (redirecting it to localhost), the storm blew itself out. Krebbs is quoted as saying that he does not fault Akamai at all for their position. The kind of protection that Akamai was giving him would cost $150 000 – $200 000 per year.
The attackers had thrown the book at him – running through a whole gamut of attacks including SYN/FIN (connection setup and closing requests) and GET/POST (requests for web pages). Such attacks are regarded as shaped instead of reflection attacks. Malicious traffic was generated from the source devices rather than being bounced off some poor, unsuspecting device somewhere on the Internet.
An Akamai spokesperson told the technical website “The Register” that they believed a significant proportion of the attack came from compromised IoT (Internet of Things) devices. These devices were commandeered by a worm called “Mirai” to form a large “BotNet” (a network of compromised devices) which could be hired out to attack almost anyone.
The IoT devices ranged from wireless routers to security cameras – all vulnerable due to poor security practices baked into their operating systems. Some made use of hard-coded admin usernames and passwords and others failed to properly validate that incoming web requests had the correct authorisation to perform the tasks they were requesting. Some had ports open to the internet that should only be visible from inside a secure network. Others had a combination of these flaws.
Since a lot of makes of devices are just re-brands of the same hardware, any flaw that is discovered can create a large attack surface. It remains the responsibility of the manufacturers to ensure that they write secure applications and put preventative measures in place to make sure that their devices are secure by default.
Krebbs noted in a recent blog post that U.S. Lawmakers have introduced a bill that would set baseline security standards for government purchase and use of Internet-connected devices. We hope that the requirements laid out therein will force manufacturers to secure their devices before unleashing them on an unsuspecting public. With IoT becoming more pervasive, the chances of, and consequences of a security breach become much more severe.
Some examples are: Imagine taking over a bank’s cameras, profiling their day-to-day operations and striking when they are most vulnerable. Then erasing all evidence of the robbery.
Cars become connected to the Internet, sending and receiving data on traffic, sending telemetry back to manufacturers for fault analysis, whilst being aware of cars around them and warning them of their driver’s intentions. Then, an unauthorised party takes control of the car’s computer, causing it to crash, or spies on people through onboard hands-free phone kits, or learns of the driver’s location and habits – uncovering where they live and robbing them when they are out.
The possibilities are endless. Let’s hope IoT does not shape up to be the Internet of Trouble.