On Friday, October 21, the Internet slowed to a crawl. A new botnet attack, called Mirai, executed a distributed denial-of-service (DDoS) attack against DNS provider Dyn. The result impacted service for some of the Web’s highest profile brands. This event was the largest known DDoS attack to date.
What makes this attack very different from others is that Mirai used consumer IoT devices to launch the attack rather than desktops, laptops, and servers. In this case, DVRs and security cameras were infiltrated and subsequently used as the platform for the attack. While you were at work, your DVR may have been busy bringing the Internet to its knees.
The loose translation of Mirai is “future” in Japanese. Years of theories speculate what would happen if we connected large amounts of poorly secured devices with computing power to the Internet. Mirai has shown us a glimpse into that future.
Allow me a slight digression to make a point. Before I became immersed in the world of software security, I spent some time working with advanced persistent threats (APTs) and zero-day attacks. While these attacks were exotic and sophisticated, I learned that most attackers take the path of least resistance. You can build a fine attack leveraging a well-known vulnerability, even when it has been known for months.
There is a new path of least resistance, which Mirai so well illustrated. Consumer connected devices are generally not built with security in mind. The software that powers these devices isn’t tested to the same level that a financial institution will test a Web application. The hardware, firmware, and OS isn’t sufficiently hardened against attack. If a password exists, it is weak and widely published in support documentation that is broadly available on the Internet. Almost no one knows that a password exists, and even fewer people will change that password. Thus, the device remains exposed to the Internet with no firewall or other protection.
While we have not perfected the art of protecting computers, many are secure enough to pose at least a moderate challenge to infiltrate. Enter the IoT devices with their default passwords, unsecured access, and well known IP addresses. Voila! A new path of least resistance. A growing population of connected devices with easy access and enough horsepower to become a bot’ed member of a DDoS army. Devices with enough computing power to be dangerous, but created without any security-related best practices, and free of any security controls or defenses.
Why don’t manufacturers care about security? It’s economics. Building security into the design and implementation, testing the software, and adding even minimal defenses drive up the cost of the device. Do consumers value security enough to choose the more expensive version of a device if all other factors are equal? I suspect not, largely because I don’t think consumers are aware of the inherent issues. I’ll cite as precedent the mobile phone industry: people gladly sell their privacy to get the newest, shiniest phone for free or reduced cost.
I also don’t want to paint with too broad a brush. I have seen several producers of consumer IoT devices who care very deeply about security and are taking concrete steps to secure their devices. But they are winning based on functionality, not price. Where price is an issue, I don’t see a rosy, or secure, future.
Now factor in volume. The estimated number of connected devices over the next five years varies, but the figures share one common element—lots of zeros and commas. Experts predict, by next year, that IoT devices will outnumber humans. This means that attackers not only have a path of least resistance, they have access to enormous computing power and bandwidth. It is widely believed that the Mirai attack barely scratched the surface of available capacity. Given the widespread interruptions that resulted, the potential for disruption is enormous. And more devices are becoming connected every day.
There is one other small issue: many of these devices are not updateable. When a vulnerability is discovered that is readily exploitable, there is no recourse to patch the device. This is where economics come back into the picture. Manufacturers may be faced with costly and difficult decisions, such as recalling the exploitable devices. Consumers may be faced with continuing to roll the dice and use the devices or scrap them completely. My guess is that many of the devices used in this attack will still be connected a year from now.
If Mirai means “future,” then its arrival certainly leads us to ask what the future holds. I foresee lots of experimentation with evolving attacks using IoT devices as new devices are infiltrated. I predict lots of knee-jerk reactions in the form of poorly conceived legislation as the government tries to run in front of the avalanche. I see a call toward sanity, building some basic security hygiene into devices and the testing of associated software.
I know I no longer have much trust in the connected devices in my home, and wonder what they do with their spare time. I will never look at my toaster the same way again.