There’s been plenty of chatter about the security of IoT (internet of things) devices in recent years (remember the guys who took control of the Jeep on the highway?). But the chatter moved from speculation to reality late last month when attackers managed to tap into thousands of IoT devices to create a botnet infected with Mirai malware and wreak havoc on some major websites. The Mirai botnet composed of 100,000 IoT devices — from DVRs to security cameras — unleashed a massive DDoS attack on DNS provider Dyn, which brought down dozens of websites, including Twitter, Spotify, Netflix and The New York Times.
The question of “who would want to hack my toaster?” has been answered. It’s anyone who can monetize an attack (e.g. extortion), for which a DDoS botnet could be perfect. DDoS attacks and botnets aren’t new, but using IoT devices to perpetrate these types of attacks is a disturbing recent development. It’s enabled anyone to launch record-breaking attacks.
Considering that Mirai’s source code is freely available to anyone who wants it and the sheer number of IoT devices connected to the Internet (projected at 40 billion by the end of 2020), there is the potential for Mirai botnet attacks to be catastrophic.
How did this happen?
Suggested IoT security solutions were everywhere after the attack. Some called for manufacturers to make their products more secure, some put the responsibility on the end users (“How could they not change the default password!?”), and some called on manufacturers to band together and create standards.
I think the solution lies in understanding the economics of the situation and the simplicity involved in such seemingly complex attacks. The word “sophisticated” has been used a lot to describe the Mirai botnet, but the reality is that it was decidedly unsophisticated and not hard to prevent. The attackers simply took advantage of hard-coded default passwords in IoT devices. Far from a complicated endeavor, finding these passwords is trivial once the firmware of these devices is analyzed.
What do we do about it?
As easy as it is for attackers to compromise IoT devices, protecting against exploitation of their passwords can be simple. At Veracode, we look at thousands of application binaries a year, and we’ve found that hard-coded passwords are a very simple problem to fix:
- Force users to change the password if they want to enable remote access.
- Don’t embed passwords in your firmware.
But who will lead the effort to fix it? I propose it needs to come from outside regulators. We have FCC testing for devices that transmit radio so that they don’t interfere with other devices. We have UL testing so that electrical devices aren’t designed to shock people. Knowing this type of botnet attack has the potential to cause significantly more damage than radio interference — what if it were directed at all the connected traffic lights in a city? — it warrants similar attention and regulations.
In essence, there should be a base level of security testing that IoT devices have to pass before being sellable. But this initiative most likely won’t come from the manufacturers, who don’t have the skillset for or incentive to spend money on security. Moreover, consumers simply don’t yet understand the implications of purchasing products with broken security, meaning a “vulnerability-free” security camera isn’t going to be a competitive differentiator anytime soon. Would a massive recall force manufacturers’ hands? Maybe but do we shouldn’t wait for that. DDoS is an environmental problem that needs a regulatory solution in order to prevent similar misuses of digital technology.
This article is published as part of the IDG Contributor Network. Want to Join?