IoT Hack

So…it’s happened… Last year I sat on a panel at our Sayer’s Curio event and was asked about my thoughts on IT security, cloud, and specifically where we were headed with the Internet of Things (IoT).  Admittedly, my response was probably a little over the top, and deserving of the few strange looks I received, as I did make some fast and loose references to the Zombie Apocalypse.  My voiced concern being we must absolutely change our collective thought processes from perimeter-based security to the endpoint and the data it houses, and my fear is that wouldn’t happen until we experience, first-hand, the broad-sweeping impact of an IoT attack.  Now, I feel somewhat vindicated, although I do hate the circumstances. Friday, a number of high profile web destinations were brought to their technical knees via a well-coordinated DDoS attack.  The websites include names like Netflix, Twitter, Spotify, GitHub, and Amazon.  Ultimately, the victims were part of a client-list of the DNS service provider DynDNS, many of these names are high profile and well-known on the WWW.  This most recent barrage came in the wake of an attack on security researcher, Brian Krebs, and another attack on Ars Technica.  Both of these attacks were very large volume when compared to similar historical DDoS attacks.  The attack on Krebs approached 700Gbps, and the attack on Ars closed in on 1 Tbps. The malware kit used in these attacks is named Mirai.  The purpose of this malware kit is to recruit Linux-based vulnerable systems into a botnet, which is then configured to do a miscreant’s bidding via a command and control server.  Considering Linux is open-source, and available to almost anyone at no or low-cost, many devices use one of the various flavors of this operating system as a basis to provide network functionality.  Additionally, Mirai is written in such a way as to target consumer-grade devices.  These devices are purchased for home use, are not managed by large security teams, and are often installed in default configuration.  To further exacerbate the issue, they are often “forgotten” once installed and functional, and never touched again.  These issues combine to make these low-profile IoT devices tasty targets for anyone wanting to recruit them into a botnet. So, what benefit does a miscreant gain by compromising my home router?  Generally speaking, not much.  I don’t want to make light of the hack, as it can potentially be used to further pivot into a home network, but there are other layers of security that often exist to make this pivoting more difficult.  However, a miscreant can immediately use that device’s network connectivity to attack someone else.  When you control five thousand, a hundred thousand, or more than five hundred thousand of these devices, point them all at one target, and “cut them loose”…well, the sci-fi and horror story aficionado in me can’t help but imagine the target running from a horde of ravenous undead. All the hyperbole aside, what can we do? Although not very high-visibility, in August of this year a mother in Houston, Texas discovered a security camera installed in her child’s room had been hacked and live-streamed to the Internet.  This bit of irony is not lost on anyone in this industry, I’m certain.  Not surprisingly, there are entire business and project models built around these security flaws.  Insecam is an example of this type of model.  The Insecam Project allows users to peruse a library of vulnerable and streaming security cameras and watch the live feeds.  Thankfully, Insecam does go through some effort to protect the privacy rights of individuals. Why are these devices sold to the public in this condition?  Speed to market…with a complete lack of security consideration.  We do have a fiduciary responsibility to ship these devices with basic security functionality. If the industry refuses to police itself by creating some degree of minimal security standards, and measuring these requirements as a quality metric, then perhaps it’s time failed expectations become punitive.  Or perhaps we simply need to better inform the public when they purchase such devices.  Or perhaps some mix of any number of possible answers. Regardless, of what we each believe is the right answer, I think we can all agree on one point:  if you’ve sold and shipped a security device, and it’s hackable out-the-box, “you’re not doing it right”.