Millions of unsecured connected devices, part of the Internet of Things (IoT), were responsible last Friday for collapsing the DNS servers that connect significant part of the Internet in the US, making sites such as Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix unusable for several hours.
Probably one of the most discussed topics over the weekend was the Distributed Denial of Service (DDoS) attack on the DNS provider Dyn Oct. 21. Many were initially pointing the finger at a hacker-organized operation backed by a foreign superpower. Others believed it was a coordinated effort by protest groups around the world working in concert.
The success of the DDoS attack, however, was linked to the use of low-tech connected devices, part of the rising number of IoT, such as connected appliances, thermostats, and baby monitors. Researchers have identified the source of most of the malicious traffic as coming from devices such as webcams and DVRs.
Many of those devices are manufactured in China, by makers that are more concerned about their bottom line than offering safety and security. In some cases, they install the basic code supplied by the chipset manufacturer without debugging it or checking if there is a newer version available.
Researchers at Flashpoint, an Intel security company, have linked part of Friday’s DDoS attack to a Chinese firm called XiongMai Technologies, who in response announced today a recall of some of its devices sold in the US. According to The Guardian, “The electronics components firm, which makes parts for surveillance cameras, said in a statement on its official microblog that it would recall some of its earlier products sold in the United States, strengthen password functions and send users a patch for products made before April last year.”
XiongMai components are widely sold to vendors who use them in IP cameras and digital video recorders. Flashpoint says some of those components could already have been infected with basic malware functionality before going on the market. XiongMai, however, said the biggest issue was users not changing default passwords, adding that, overall, its products were well protected from cyber security breaches.
Nowadays, everyone is rushing to connect everything to the Internet, pushing the growth of IoT devices exponentially. We now have smart meters, smart refrigerators, smart thermostats, smart shower heads, smart toasters, etc. and companies are racing to make any new product “smart”.
Cisco projects the number of such devices will triple to about 50 billion by 2020, up from 15 billion today. Ericsson suggests a more conservative 28 billion, while Intel predicts the number will reach 200 billion in the same time frame.
Typically connected devices such as laptops, smartphones, tablets, and most of wearables have different levels of security and regular updates to fix vulnerabilities that hackers can exploit. We are used to seeing notifications telling us to update our smartphone’s operating system or the basic firmware on our FitBit. The same happens with the hardware and software in our cars and other high-end devices.
But when it comes to the baby monitor we bought a couple of years ago, or the DVR we use to record our favorite shows, chances are the firmware is still the same, the password has never been changed, and anyone can login if they know the IP address. Basically, we just wanted the camera and the DVR to work and, as soon as we had it running, we were happy to leave it alone. A basic check on Amazon’s list of most popular baby monitors shows the default password of most of them is 12345678.
There are many stories about people logging into someone else’s baby monitor, which has spurred some parents to make the effort to change the device’s default password, but not the majority. And of course, baby monitors are not the only connected devices we have at home.
Most connected devices have some elementary computing power and are designed to connect to WiFi and perform basic functions. In fact, some of the latest devices can be programmed to store videos on a smartcard or convert them to YouTube compatible formats. While some IoT devices have the same or more computing power than early versions of smartphones, they lack the security of more sophisticated devices.
While some industries have awakened to the dangers of not securing their IoT components, such as automotive, the home market is full of devices with basic or no security at all.
There are several ways to compromise a “smart” home appliance. Mirai, one of the most popular “open-source” malware used for DDoS attacks, could be easily installed in many IoT devices. It has a built-in dictionary of common passwords that can be used to hijack home devices and convert them into nodes for a scheduled attack.
What last Friday’s DDoS attack has shown is that hackers do not need thousands of sophisticated servers or powerful computers to collapse the internet. A very basic connected device can be programmed to send a massive number of DNS requests, and millions of those devices are out there waiting for instructions.
How can we avoid that? What we need on the supply chain side is some kind of standard certification of the security of home connected devices. In the same way you can’t use some apps with early versions of operating systems, we shouldn’t allow devices to connect to the network if they are not certified to be secure.