Share this
by Reflare Research Team on May 7, 2021 6:09:00 PM
The increasing scale and flexibility of DDoS attacks should be a wake-up call for IoT manufacturers as such breaches become more prevalent in both consumer and industrial automation systems. But who will be able to resolve the challenge of providing security for these devices as they continue to grow in popularity?
First Published 26th October 2016 | Latest Refresh 7th May 2021
“Why does the IoT Design Team know nothing about security?!?”
4 min read | Reflare Research Team
A Significant Issue
On October 21, 2016 at approximately 12:10 UTC, Dyn, one of America’s largest DNS providers and a crucial part of the internet infrastructure, was the target of a massive cyber-attack. This attack consisted of a Distributed Denial of Service (DDoS) using “Mirai” malware-based botnet consisting of hundreds of thousands of compromised devices.
This botnet successfully targeted Dyn with an HTTP flood and Domain Name System amplification attack. This subsequently caused widespread outages not only on all the sites hosted by Dyn, but also on places where those sites relied on third-party services such as Twitter, Spotify, Airbnb, Reddit and The New York Times, making this one of the largest DDoS attacks in history.
DNS is the system which translates human-readable domain names such as “google.com" into machine-usable IP addresses such as “74.125.200.139”. In addition to general DNS hosting services, Dyn also offers so-called “Dynamic DNS” services where domain names point to frequently changing IPs belonging to private home networks or workstations.
Now it is important to note that the DDoS attack did not actually stop most of the affected services from operating. It merely made them unavailable to the average user. To borrow a metaphor, imagine a world where Google suddenly stopped working. The vast majority of users would not be able to access even the services they use regularly without using Google to look up the right URL, let alone find out where new services might be located.
Similarly, with parts of the DNS system unavailable, URLs typed into browsers could not be resolved into machine-usable IP addresses, meaning the serves could not be reached.
You've Been Warned
As we warned in a prior research brief, attacks against central internet infrastructure, such as the DNS system, are bound to happen and escalate over time. We predict that, ultimately, this will lead to the replacement of the current central infrastructure with decentralised systems. However, no widely accepted distributed alternative to DNS exists at this point in time. For a system so critical to the operation of the internet, it will take some time to find a replacement, even if the political will can be mustered.
With the benefit of hindsight, alas, the attack on Dyn did not seem to have the impact required to trigger such radical change. It is startling that many of the deficiencies that led to this attack still exist today.
What is notable about the attack is that it appears to originate from the so-called Mirai botnet. This botnet mainly targets insecure or poorly configured Internet of Things (IoT) devices such as smart locks, coffeemakers, cleaning robots, light bulbs or surveillance cameras.
Experts have warned against the dangers of poorly designed smart devices for almost 15 years, but it took until 2016 for the impacts to become obvious. Today, most IoT devices are designed by relatively small teams with more experience in lock-, camera- or coffeemaker-design rather than programming. Not only do these teams often lack dedicated security staff altogether, but many of them also have little-to-no awareness of how their design decisions shape and impact the attack surface of their products.
But hey, if you don’t upskill your IoT teams on IT security, what is the worst that could happen with a hacked coffeemaker?
In a traditional sense, not much. The coffee maker does not store critical business or private information. Spilling coffee or leaking the favourite blend preferences of its owner is hardly the end of the world.
Please... choose your coffeemaker wisely.
The Value of Access
However, control over the coffeemaker nets the attacker something much more valuable: Access to the victim’s home network. From there, other devices such as PCs and Smartphones can be attacked much more easily. Worse yet, the bandwidth of the household’s internet connection can be commandeered from the hacked device.
The Mirai botnet used this to its advantage. To block a DDoS attack, an identifying characteristic of the attack traffic such as a country of origin or previous malicious behaviour has to be identified. Since the IP addresses from which the malicious traffic originated were spread across the globe and belonged to otherwise harmless individuals, it was virtually impossible for Dyn to block out the attack.
The liability for such an attack ultimately falls back on the leaders of the IoT product companies, and their design teams.
To not address this skills gap is at the company’s own reputational, legal and financial peril. Good infosec talent in the majority of organisations are already overworked with no shortage of executive demands, business-critical issues and operational requests that demand their immediate attention. This often leaves IoT design teams to ‘work it out’ for themselves without the skills even to know where to start. The quality of your IoT designers matters, and there is a very strong case for organisations that design, manufacture or rely on IoT to invest in the development of their designer’s IT security capabilities.
We expect to see many more attacks like this in the future. Organisations are advised to maintain internal DNS servers with a reasonable cache of previously requested records to ensure that operations can continue even during a DNS outage. However, this vulnerability is not the only exploit you need to address. Learn how to mitigate the risks of specific attacks before you find yourself in crisis mode by checking out our research briefs on related topics.