I’ve been tracking the “Internet of Things” space for a few years now. There’s incredible hype around this, but especially in the commercial sector, I maintain that the hype will eventually be justified.
The vendors talk as if this is all done and dusted. However, it’s still early days. As is usually the case, the tech industry is rushing into it, and not in a particularly ordered fashion. To quote Sun-Tzu, “In the middle of chaos, there is opportunity”. And some bad people are finding their opportunity in the chaos.
Any appliance or device that is hooked into the internet for any reason whatsoever is considered part of IoT. On refection, I realized that my house has at least 5 devices – a PVR, Smart TV, Chromecast, DVD player, and a thermostat. Of course, to hook them in I have a router. Even though all I want to do is watch TV or cool my house down before I get home, I’m part of something greater.
On October 21, Dyn, a major supplier of core internet services to companies such as Twitter and Spotify was flooded with junk internet traffic, causing slowness and outages for their customers. What’s different and notable about this attack is that it didn’t use virus infected servers or personal computers for the attack. It used webcams and DVRs.
(I’m going to take some technical liberties to keep this broadly understandable. Full tech explanation and clarifications are in the footnotes.)
It turns out that there are 500,000 of these webcams as well as an undisclosed, large number of DVRs that were susceptible to this particular attack. No one knows for sure how many participated, but the traffic volume generated for the attack was incredible.1
So, what went wrong? Each IoT device can thought of as a little internet connected computer. To make these devices easy to install, they were designed to be “discovered” from another computer. This can happen whether the computer is in the same room, or half way around the world.2
Next, the devices have a way of gaining full programmer access for maintenance. This access is controlled by a secret password, which turns out to be not that secret and is exactly the same on every device. Since this password is permanently burned in the device, it cannot be changed.
A bad actor (a.k.a. “Baddie”) created a program that looked for susceptible devices, logged in for programmer access, installed their code, and at the right moment, issued the “go” command. Then they posted the code to the internet.
And there is almost nothing3 to prevent it from happening again. The devices in the field can’t be fixed.
I could have been a part of that attack. Fortunately, my PVR is disconnected from the internet.
1Dyn experienced a major DDoS attack from a botnet known as Mirai. Targeted devices contained DVR and web camera boards from XiongMai Technologies. Access was through Telnet or SSH, with a known user ID and password. Best explanation found here: Hacked Cameras, DVRs Powered Today’s Massive Internet Outage. Brian Krebs, a noted security expert who wrote that explanation, was previously targeted with a Mirai attack that peaked at 620 Gbps traffic volume!
2To find the devices on the other side of a router, Universal Plug and Play (UPnP) protocols are used. Often, these are enabled by default in home routers, and though they shouldn’t, many routers will accept UPnP protocols on their WAN ports.
3Disabling UPnP in home routers help. ISPs can employ Network Ingress Filtering to defeat DDoS attacks that spoof the source address. But, most don’t bother.