How the Internet of Things (IoT) can wreck the Internet itself
Executive Summary: Unprecedented growth in devices that are connected to the internet, mainly due to the IoT phenomenon, is becoming the Achille's heel of the internet itself, as these things can be attacked by malicious players and used to launch attacks on the internet infrastructure, paralyzing critical online infrastructure such as banks, stock exchanges and public utilities. An urgent need exists to come up with globally mandated standards to improve IoT security to avoid these possible undesirable events.
Recently, we all saw a unique attack, on the internet itself! This was probably the first time that some malicious players in cyberspace, wanted to shut down the internet itself, rather than just some websites that they did not like, at least in a particular area. It was a pretty successful attack that could actually slow down user access to marquee sites such as Twitter, Facebook, Amazon and many others.
You can say the traffic slowed to a crawl, on the so called Information Superhighway. We all take this freeway for granted, never imagining that it can slow us down, however this event showed that even perhaps a small bunch of determined individuals, acting with or without co-operation among themselves, could pull this off, pretty well.
The Great Information Highway Traffic Jam
So what exactly happened? It now turns out that the attack was a large scale DDoS (Distributed Denial of Service) attack on a company that provides DNS (Domain Name Servers) to many websites, including the ones above. It was apparently executed using a botnet , which is another name for a network of compromised/hacked devices that are under the control of malicious actors.
For readers who are not aware of Bots or DDoS, please see the explanation in the Box alongside.
Botnets are not new- what was new this time was the method. It used the much hyped Internet of Things (IoT). This malicious network was comprised of consumer grade IoT devices (not PCs as in traditional botnets). Many of these were suspected to be plain vanilla IP cameras (cameras that use the Internet Protocol to transmit their images). Others were home routers, that have minimal security.
It is not clear if restoration of internet services to these domains later, was due to the attackers having themselves “turned off” the attack OR due to mitigation done by the affected websites and the owners of the DNS service providers. This incident however exposed the internet’s two main vulnerabilities that security experts were warning for a long time now- one is the Domain Name System itself and the second is the poor security features of today’s consumer internet connected devices, many of which are part of the current IoT phenomenon. The DNS problems are known and I am told will be fixed in the near future. What needs more attention is the upcoming IoT wave, when billions of such devices are becoming part of the internet. This also applies to the IIoT (Industrial Internet of Things) sector.
Welcome to the insecure Internet of Things (IoT)
The IoT today is right at the top of the Gartner Hype cycle, so a lot of people have placed high hopes in this phenomenon giving a lot of benefits such as data collection, remote monitoring, energy savings, plant and process optimization and so on. However, an often overlooked aspect is the security of these devices. Most of these devices come with almost no security at all, or at the most have some weak “bolt on” features as an afterthought. So for example, all it takes to access and hack an IP camera is to find it on the internet (there are easily available tools to do these searches), then query it and try to connect to it by using the infamous “default login” and “default passwords” that IT security admins are so frustrated with, such as 1234 and 1234, or admin and admin. Viola! You have now got access to a device on the internet, that can be used to plant your malware and become part of the army of other bots that form your botnet. If you are a lazy hacker, then you could even make this entire process a fully automated one, so your bot programs scans for connected devices, logs in to them and installs the malware. Then each of these "slave devices" starts querying whatever DNS service that you plan to target. Do not think that this needs some evil genius to execute- programs to build these botnets are available for free online, such as the infamous Mirai botnet, so even mediocre programmers can do these things. Or if you’re having some cash to throw, instead of to doing it yourself, you can hire it for as little as $7500 or so per hour, I am told. There are even SaaS (Software as a Service) players out there in the dark recesses of the internet that you can subscribe to for achieving this.
Going Forward with IoT
Going forward, I hope the security community wakes up and educates users to ensure that they are not inadvertently contributing to these botnets by taking basic steps to at least ensure that their internet connected devices such as TVs, webcams, baby monitors, smart meters, etc are having secure logins and passwords. Also more importantly, the manufacturers should stop setting these easily guessed logins and passwords as the default values.
More importantly, for the companies that want to make good use of this technology, including its industrial cousin, the Industrial Internet of Things (IIoT), it is crucial that they lobby hard to ensure security of all the consumer and domestic grade IP connected devices is strengthened, so that their own networks should not fall prey to mistakes done by third parties.
What about DNS Security then?
This is an entirely big topic, all by itself to be covered in this whitepaper. However, we are informed that work is still ongoing to ensure better security as related to DNS and can only hope that this happens quicker, at least before the IoT really takes shape. In the meantime you can ensure that your own DNS is in OK shape by devising perhaps automated tests that ensure that it is not hacked. Many consumer grade routers and switches do fall prey to DNS viruses, that redirect browser queries to spam and malware sites. The makers of IIoT devices, should ensure that their networks are well protected against such dangers.
Note for readers who are not aware of Bots or DDoS
1. The word "bot" is short form for robot. You may think of a robot as a humanoid like machine with a physical presence, in reality, there are millions of programs out there that are robotic without having a physical "body" and are referred to as simply bots. Not all bots are malicious, however, such as the famous Googlebots and Bingbots that index the web pages on the internet.
2. DDoS is an acronym for Distributed Denial of Service. To explain it in simple terms, when you type an address in your web browser, the request is relayed to the web server that has that site hosted on it and the web pages are served by that hosting server. Different web servers may have different capacities to handle such requests, based on estimated number of users who access the site. If suddenly a large number of users request the same web page then the server is likely to get overloaded and cannot serve these webpages a.k.a. it goes "down" and the webpage is no longer accessible to users. This whole process can be deliberately engineered by hackers or other malicious entities to shut down a website. This is known as DoS or Denial of Service. If these requests came from the same computer or a single or group of IP addresses, then these can be blocked. To avoid these nowadays these criminals then spread these requests over a large number computers spread over a large number of IP addresses, in other words, the attack is "Distributed". This is known as a Distributed Denial of Service attack or DDoS .