NEWS ANALYSIS: More than a million security cameras, video recorders and other devices were used in attacks on a U.S. security researcher and French network service provider.
For the past several days, security researcher Brian Krebs has been battling a cyber-attack on a scale unlike any ever previously observed on the internet.
Krebs, who writes the security blog Krebs on Security, was on the receiving end of a distributed denial-of-service (DDoS) attack that delivered connection requests at the rate of nearly 700 gigabits per second. Equally alarming, the attack was generated by well over a million video cameras as well as other internet-connected devices ranging from set-top boxes to video recorders.
This is the first time network-connected devices have been used in such a massive attack, although it’s worth noting that smart devices, especially laser printers, have been used to launch malware attacks for several years. And although this is also not the first time video cameras have been used as part of a DDoS attack, it is the first time they have been marshaled for an attack on this scale.
Krebs has said that he was attacked in retaliation for a story he reported about an Israeli attack-for-hire service called “vDOS” that was earning its operators hundreds of thousands of dollars per year. After the story appeared on Krebs’ blog, the principals of the company were arrested, fined and placed under house arrest. Apparently the internet of things (IoT) attack on Krebs was done to prove that vDOS still had teeth.
Since then, Krebs has moved his website to the protection of Google’s Project Shield, which was created to protect human rights advocates and journalists from censorship by DDoS. Previously Krebs was protected by the Akamai content delivery service, but that company dropped him because handling the attacks was costing Akamai millions of dollars and Krebs was getting the service for free.
The attack on Krebs highlights the growing security problem of the IoT. Unfortunately, while the problem has been growing for years, very little has been done to address the threat. Worse, very few organizations have taken any steps to develop a protocol for making sure that devices that connect to the internet are secure. Adding to the problem is the fact that there’s little indication that once acquired, the devices are kept secure through proper management and timely updates.
The security cameras that were used in the attack on Krebs were mostly produced by Dahua Technology, which produces a wide variety of cameras used both in businesses and by consumers. These cameras are typically delivered with a default user name and password, and relatively few customers change the passwords before installation. Even fewer of these devices are ever updated once they’re installed.
While Dahua products were used in this attack, the company is not unique in how it delivers its products. Very few connected devices have any security beyond a simple name and password, and quite a few don’t even have that. If you want a picture of how bad this problem is, just turn on a WiFi device in a crowded area and look at the list of SSIDs. Note how many are simply the name of the company that made the product.
There are several things your organization can do to reduce the chance of your assets being used in a DDoS attack and that in turn will help you avoid any liability, and any expense for the traffic your network devices may generate. Here’s a list to get you started:
1. Develop and enforce a protocol for any network-connected device that enters your organization to ensure that it gets a secure name and password, is set up for secure WiFi and gets on the list of devices that need regular updates.
2. Set your routers and firewalls to reject any attempt by your network devices to communicate outside of your internal network unless there’s a legitimate need. Print servers, for example, probably don’t need to have access to the internet.
3. Make sure your intrusion protection system is set to scan for unauthorized devices and check to see if your firewall is set to trigger alerts when devices attempt to reach the internet.
4. Confirm that any new devices that come into your organization will support your security requirements, including the ability to support secure WiFi.
5. Where possible, try to use wired networking rather than WiFi.
Perhaps most important, make sure your security staff knows that they have to remain vigilant for the introduction of new, insecure devices on to your network and realize that those devices can be attached to your network in seconds by nearly anyone in your company. Those new devices will probably be insecure and the people installing them won’t be in a hurry to tell you about them.
The devices on your network, whether they’re intended to help you stay secure or simply intended to make your life easier, have a great potential to help, but they have an equally great potential to endanger your organization. You can limit the security risks by watching what those devices are up to, but only if you have a plan for handling them in the first place.