Share this
Even More Evidence to Show Us the Dangers of Poorly Designed Smart Devices
by Reflare Research Team on May 7, 2021 6:09:00 PM
The increasing scale and flexibility of DDoS attacks should be a wake-up call for IoT manufacturers as such breaches become more prevalent in both consumer and industrial automation systems. But who will be able to resolve the challenge of providing security for these devices as they continue to grow in popularity?
First Published 26th October 2016 | Latest Refresh 7th May 2021
“Why does the IoT Design Team know nothing about security?!?”
4 min read | Reflare Research Team
A Significant Issue
On October 21, 2016 at approximately 12:10 UTC, Dyn, one of America’s largest DNS providers and a crucial part of the internet infrastructure, was the target of a massive cyber-attack. This attack consisted of a Distributed Denial of Service (DDoS) using “Mirai” malware-based botnet consisting of hundreds of thousands of compromised devices.
This botnet successfully targeted Dyn with an HTTP flood and Domain Name System amplification attack. This subsequently caused widespread outages not only on all the sites hosted by Dyn, but also on places where those sites relied on third-party services such as Twitter, Spotify, Airbnb, Reddit and The New York Times, making this one of the largest DDoS attacks in history.
DNS is the system which translates human-readable domain names such as “google.com" into machine-usable IP addresses such as “74.125.200.139”. In addition to general DNS hosting services, Dyn also offers so-called “Dynamic DNS” services where domain names point to frequently changing IPs belonging to private home networks or workstations.
Now it is important to note that the DDoS attack did not actually stop most of the affected services from operating. It merely made them unavailable to the average user. To borrow a metaphor, imagine a world where Google suddenly stopped working. The vast majority of users would not be able to access even the services they use regularly without using Google to look up the right URL, let alone find out where new services might be located.
Similarly, with parts of the DNS system unavailable, URLs typed into browsers could not be resolved into machine-usable IP addresses, meaning the serves could not be reached.
You've Been Warned
As we warned in a prior research brief, attacks against central internet infrastructure, such as the DNS system, are bound to happen and escalate over time. We predict that, ultimately, this will lead to the replacement of the current central infrastructure with decentralised systems. However, no widely accepted distributed alternative to DNS exists at this point in time. For a system so critical to the operation of the internet, it will take some time to find a replacement, even if the political will can be mustered.
With the benefit of hindsight, alas, the attack on Dyn did not seem to have the impact required to trigger such radical change. It is startling that many of the deficiencies that led to this attack still exist today.
What is notable about the attack is that it appears to originate from the so-called Mirai botnet. This botnet mainly targets insecure or poorly configured Internet of Things (IoT) devices such as smart locks, coffeemakers, cleaning robots, light bulbs or surveillance cameras.
Experts have warned against the dangers of poorly designed smart devices for almost 15 years, but it took until 2016 for the impacts to become obvious. Today, most IoT devices are designed by relatively small teams with more experience in lock-, camera- or coffeemaker-design rather than programming. Not only do these teams often lack dedicated security staff altogether, but many of them also have little-to-no awareness of how their design decisions shape and impact the attack surface of their products.
But hey, if you don’t upskill your IoT teams on IT security, what is the worst that could happen with a hacked coffeemaker?
In a traditional sense, not much. The coffee maker does not store critical business or private information. Spilling coffee or leaking the favourite blend preferences of its owner is hardly the end of the world.
Please... choose your coffeemaker wisely.
The Value of Access
However, control over the coffeemaker nets the attacker something much more valuable: Access to the victim’s home network. From there, other devices such as PCs and Smartphones can be attacked much more easily. Worse yet, the bandwidth of the household’s internet connection can be commandeered from the hacked device.
The Mirai botnet used this to its advantage. To block a DDoS attack, an identifying characteristic of the attack traffic such as a country of origin or previous malicious behaviour has to be identified. Since the IP addresses from which the malicious traffic originated were spread across the globe and belonged to otherwise harmless individuals, it was virtually impossible for Dyn to block out the attack.
The liability for such an attack ultimately falls back on the leaders of the IoT product companies, and their design teams.
To not address this skills gap is at the company’s own reputational, legal and financial peril. Good infosec talent in the majority of organisations are already overworked with no shortage of executive demands, business-critical issues and operational requests that demand their immediate attention. This often leaves IoT design teams to ‘work it out’ for themselves without the skills even to know where to start. The quality of your IoT designers matters, and there is a very strong case for organisations that design, manufacture or rely on IoT to invest in the development of their designer’s IT security capabilities.
We expect to see many more attacks like this in the future. Organisations are advised to maintain internal DNS servers with a reasonable cache of previously requested records to ensure that operations can continue even during a DNS outage. However, this vulnerability is not the only exploit you need to address. Learn how to mitigate the risks of specific attacks before you find yourself in crisis mode by checking out our research briefs on related topics.
Share this
- December 2024 (1)
- November 2024 (1)
- October 2024 (1)
- September 2024 (1)
- August 2024 (1)
- July 2024 (1)
- June 2024 (1)
- April 2024 (2)
- February 2024 (1)
- January 2024 (1)
- December 2023 (1)
- November 2023 (1)
- October 2023 (1)
- September 2023 (1)
- August 2023 (1)
- July 2023 (1)
- June 2023 (2)
- May 2023 (2)
- April 2023 (3)
- March 2023 (4)
- February 2023 (3)
- January 2023 (5)
- December 2022 (1)
- November 2022 (2)
- October 2022 (1)
- September 2022 (11)
- August 2022 (5)
- July 2022 (1)
- May 2022 (3)
- April 2022 (1)
- February 2022 (4)
- January 2022 (3)
- December 2021 (2)
- November 2021 (3)
- October 2021 (2)
- September 2021 (1)
- August 2021 (1)
- June 2021 (1)
- May 2021 (14)
- February 2021 (1)
- October 2020 (1)
- September 2020 (1)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2020 (2)
- March 2020 (1)
- February 2020 (1)
- January 2020 (3)
- December 2019 (1)
- November 2019 (2)
- October 2019 (3)
- September 2019 (5)
- August 2019 (2)
- July 2019 (3)
- June 2019 (3)
- May 2019 (2)
- April 2019 (3)
- March 2019 (2)
- February 2019 (3)
- January 2019 (1)
- December 2018 (3)
- November 2018 (5)
- October 2018 (4)
- September 2018 (3)
- August 2018 (3)
- July 2018 (4)
- June 2018 (4)
- May 2018 (2)
- April 2018 (4)
- March 2018 (5)
- February 2018 (3)
- January 2018 (3)
- December 2017 (2)
- November 2017 (4)
- October 2017 (3)
- September 2017 (5)
- August 2017 (3)
- July 2017 (3)
- June 2017 (4)
- May 2017 (4)
- April 2017 (2)
- March 2017 (4)
- February 2017 (2)
- January 2017 (1)
- December 2016 (1)
- November 2016 (4)
- October 2016 (2)
- September 2016 (4)
- August 2016 (5)
- July 2016 (3)
- June 2016 (5)
- May 2016 (3)
- April 2016 (4)
- March 2016 (5)
- February 2016 (4)