We saw a preview Friday of how fragile the cyber world can be when DNS service disruptions blocked access to many popular websites. This wasn’t a case of stealing data (which tends to get a lot of media attention). Instead, the attack on Dyn achieved a goal of disrupting access to internet services. As I’m sure readers know by now, Dyn is a major DNS host whose customers include some of the biggest names on the internet including Twitter, SoundCloud, Spotify, Reddit and a host of others.
Massive DDoS Attacks
The attack on Dyn comes shortly after a pair of other massive DDoS attacks. The first targeted security blogger Brian Krebs’ site in mid-September. A couple of weeks later, French ISP OVH was the victim of an attack generating over one terabytes per second of traffic.
A couple of observations:
IoT Device Exploits
- First, these attacks exploited weaknesses in IoT devices including webcams and DVRs, turning the devices into an army of “bots” overwhelming Dyn’s systems with noise. This wasn’t a matter of identifying complex vulnerabilities in the software driving these devices. Instead, it relied on the fact that manufacturers and users of these devices are usually clueless about fundamental security activities. In this case, the attackers enlisted IoT devices that used default user names and passwords (user error for not changing these). Worse, it appears from Krebs’ post that the devices can be coopted via Telnet and SSH commands even when a user changes the password.
Who's Buying Affected Devices
- The affected devices are not necessarily sold directly to consumers. For example, the cameras may be sold to OEMs who use the camera as a portion of their own solution. If we assume (safely, I believe) that the OEMs are no more sophisticated about security than the camera folks, we increase the likelihood of exploitability and reduce the likelihood of these devices getting fixed - EVER.
- The frequency with which this is happening and the growing size of the attacks leaves open the question of “why” and “who.” Dyn confirmed that the attack was based on the Mirai botnet code – just as was the attack on OVH and Krebs’ site. The author of the botnet released the code to the public in late September, meaning anyone could be responsible for the attack on Dyn.
Impact of Attacks
- It’s not always about the data. Attacks that result in stolen credit card data or personal information are often in the headlines. But data loss isn’t always the worst case scenario, which is why we discuss security impacts using metrics of Confidentiality, Integrity (of data/systems), and Availability. Each application is different, and the technical impact from various attacks needs to be considered during threat modeling and when risk ranking vulnerabilities. In this case, Availability was the critical issue. Amazon and Netflix likely lost revenue from customers unable to complete purchases, and Twitter and Spotify couldn’t deliver advertisements at an optimal rate.
Lack of Security Maturity
- This attack vector affected a large number of IoT devices, but is unlikely to be the only available method for attackers. The lack of security maturity demonstrated by the IoT vendors is likely to show vulnerabilities to be the norm. Consumer IoT is a cost-sensitive market, and the vendors will use open source operating systems and components liberally. Will they track these components to ensure that those with known vulnerabilities and public exploits are avoided? As new vulnerabilities are disclosed, do they have processes for alerting and updating deployed devices?
Defining Security Standards
- The EU is contemplating security standards and labeling, which would attempt to raise the bar and put accountability on the table. The problem, of course, is that security testing for software is very different than CA or UL testing. The latter are based on physics; you can prove that a mining lamp is “intrinsically safe” based on specific criteria. Software security changes as new vulnerabilities are disclosed.
In many ways we should be glad for these wake-up calls. We are increasingly dependent on the internet, not only for commerce, but for our safety. The Dyn attack demonstrated how an attacker, using publicly available attacks, can exploit an increasing population of unsophisticated and unsecured IoT devices to affect our critical infrastructure.