We knew it was coming, we knew it would be bad, and we also knew it would be stupid. But just how bad and stupid the Internet of Things has become in its short life has surpassed even the most outrageously pessimistic predictions.
Anyone who has been paying any kind of attention to IoT security, such as it is, has known for years that the vast majority of embedded or allegedly smart devices are terrifically insecure. It’s beyond cliche at this point to make fun of IoT security (although it’s also quite satisfying). So when a botnet comprised largely of Internet-connected rose up last week and DDoS-ed DNS provider Dyn into oblivion for several hours, many observers in the security community kind of shrugged and nodded.
The Mirai botnet has been operating for several months and already had been used in several major DDoS attacks prior to the one that hit Dyn on Oct. 21, and researchers knew it was capable of producing tremendous volumes of attack traffic. But the previous attacks had targeted individual sites, so the damage was somewhat limited. The attack on Dyn was a different animal, taking out a major provider of DNS and traffic management services. That had the effect of knocking many major sites, including Twitter, Reddit, and others, offline for several hours.
It’s beyond cliche at this point to make fun of IoT security.
“On Friday October 21, 2016 at approximately 11:10 UTC, Dyn came under attack by a large Distributed Denial of Service (DDoS) attack against our Managed DNS infrastructure in the US-East region. Customers affected may have seen regional resolution failures in US-East and intermittent spikes in latency globally. Dyn’s engineers were able to successfully mitigate the attack at approximately 13:20 UTC, and shortly after, the attack subsided. At roughly 15:50 UTC a second DDoS attack began against the Managed DNS platform. This attack was distributed in a more global fashion. Affected customers may have seen intermittent resolution issues as well as increased global latency. At approximately 17:00 UTC, our engineers were again able to mitigate the attack and service was restored,” Dyn said in a statement on the attacks.
Little about this incident is new or inventive. Attackers have been targeting ISPs, hosting providers, and DNS providers for a long time, and they’ve shown that they will use whatever resource they have available to get the job done. Mirai just happens to be the new kid on the block in that regard. What’s interesting is how one of the parties involved responded to the attack.
Many of the devices recruited into the Mirai botnet include components made by XiongMai Technologies, a Chinese manufacturer. The company has responded by recalling some of those devices, including CCTV cameras, that have been compromised by Mirai and used in the attacks. That recall will have approximately zero effect on the victims using these devices or the attackers running the Mirai botnets. If you’re using an Internet-connected surveillance camera, it’s because you want to surveil something remotely. Are you going to take those cameras offline, pack them up, and ship them back to the manufacturer? Unlikely. The recall is probably designed mostly to get the vulnerable devices off shelves so more customers don’t but them, but that still doesn’t matter much given that the botnet already is out here kicking in doors.
Security teams know how to clean up a normal botnet, but disinfecting and patching compromised IoT devices is much more complicated. A lot of those devices are in hard-to-reach places and their owners are reticent to patch them even when vendors make fixes available, which is rare. Users and vendors both see these devices as somewhat disposable, so patching them isn’t exactly a priority. And building security into them during the design process isn’t high on the list either, obviously.
Those facts may change eventually, but right now there’s little to no incentive for vendors to find religion on this issue, especially without any pressure from regulators or users. Securing connected devices is difficult enough when you’re actually trying; it’s virtually impossible when you’re not trying at all.