On October 21st, Dyn, a provider of domain name services (DNS), an essential function of the Internet that translates names like www.schellmanco.com to its numerical IP address, went offline after a significant distributed denial of service (DDoS) attack affected Dyn’s ability to provide DNS services to major Internet sites like Twitter, Spotify, and GitHub. Initial analysis showed that the DDoS attack made use of Mirai, malware that takes control of Internet of Things (IoT) devices for the purposes of directing Internet traffic at the target of the DDoS attack. Commonly referred to as botnets, these networks of compromised devices allow for the distributed version of denial of service attacks; the attack traffic occurs from a broad span of Internet addresses and devices, making the attack more powerful and more difficult to contain.
Mirai is not the first malware to target IoT devices for these purposes, and security researchers have found numerous security vulnerabilities in all manner of IoT devices, including cameras, kitchen appliances, thermostats, and children’s toys. The author of the Mirai code, however, published the full source code online, allowing attackers with only a modicum of technical capability to make use of it to hijack IoT devices and create potentially significant DDoS attacks, but the core of the issue remains the fundamental insecurities of IoT devices.
While IoT device manufacturers might face complicated security challenges from working in new environments or with the kinds of hardware or software constraints not seen on desktop systems or consumer mobile devices, the reality, at least for now, is that IoT devices have the kinds of security weaknesses that the rest of the Internet learned about 20 years ago, primarily default administrative accounts, insecure remote access, and out-of-date and vulnerable software components. Researchers have found that they can remotely control IoT devices, such as baby monitors or even automobiles, extract private data from the mobile apps used to interface with devices, or cause damage to other equipment the IoT device controls, such as harming a furnace by toggling the thermostat on and off repeatedly.
Ultimately, defending against DDoS attacks has a few components. ISPs and carriers bear some responsibility to identify these kinds of attacks and take the actions that only they can take. Security and Internet services like Dyn or companies that provide DDoS mitigation will need to scale up their capabilities to address greater orders of magnitude in the attacks they could face. But for IoT-based botnet attacks, the lion’s share of responsibility falls on IoT device manufacturers, who have a lot of catching up to do on good security practice for the devices and applications that they provide.
About the Author
Jacob Ansari is a Manager at Schellman. Jacob performs and manages PCI DSS assessments. Additionally, Jacob oversees other Payment Card Industry assessment services, namely PA-DSS and P2PE. Jacob’s career spans fifteen years of information security consulting and assessment services, including network and application security assessments, penetration testing, forensic examinations, security code review, and information security expertise in support of legal matters. Jacob has performed payment card security compliance assessments since the payment card brands operated their own standards prior to the advent of PCI DSS. Jacob speaks regularly to a variety of audiences on matters of information security, incident response, and payment card compliance strategy.More Content by Jacob Ansari