Cybersec think tank: insecurity-by-design means IoT botnets are here to stay
- 07 December, 2016 09:48
The recent distributed denial of service (DDoS) attacks on managed DNS provider Dyn, which knocked out top websites like Spotify, Amazon and Twitter, has forced lawmakers to search for answers to the problem of inherently insecure Internet of Things (IoT) devices, such as webcams, DVR, printers and routers.
More recently, a variant of the open-sourced Mirai apparently mistakenly knocked out nearly one million Deutsche Telekom customers’ internet access. It wasn’t the result of a DDoS attack but rather a failed attempt to install the Mirai malware by exploiting a vulnerability in several router models.
Both scenarios could spell major troubles for the stability of the Internet, the Institute for Critical Infrastructure Technology (ICIT) warns in new 60 page report entitled Rise of the Machines: The Dyn Attack Was Just a Practice Run.
The report follows recent calls by security experts to introduce tougher security requirements and testing for IoT products. Despite an aversion to government meddling with tech products, security expert Bruce Schneier recently told US lawmakers it was a necessary step to avoid a catastrophic attack on critical infrastructure.
James Scott, a senior fellow at ICIT and co-author, argues that recent Mirai attacks suggest security-by-design isn’t happening, despite its necessity to protect critical infrastructure. The absence of security-by-design in the Internet and IoT devices can be blamed on a Mirai-inspired “renaissance” in adversarial DDoS botnet innovation, according to Scott.
Even major tech companies are now only waking up to the potential threat posed by insecure design. HP this week announced it would cut off FTP and Telnet connections via a new firmware update for its enterprise and multifunction printers.
“Networked printers can no longer be overlooked in the wake of weakening firewalls to the growing sophistication and volume of cyberattacks,” said Ed Wingate, VP & GM, JetAdvantage Solutions at HP, Inc.
The ICIT report canvases the Internet infrastructure, and protocols that DDoS botnets exploit, the DDoS ‘stresser’ economy, and what major recent attacks spell for the future of the Internet.
The Dyn attack, for example, may signal a “massive shift” as security researchers need to contend with less sophisticated attackers coordinating botnets to target security researchers and critical infrastructure.
Akamai also bowed out of protecting Brian Krebs’ Krebs on Security site after it was hit with a 620 Gbps DDoS attack. French ISP OVH was disrupted by a 1.1 Tbps DDoS attack. While it’s not known how much Akamai’s network can withstand, if it fell to a Mirai attack in the way that Dyn or OVH did, the internet would revert to its 2006 state, the authors argue.
“Video streaming, video conferencing, real-time online gaming, and other activities that require significant bandwidth or delivered content, would no longer be available,” they warn.
As Schneier told a US house committee last month, the Dyn attack was “benign” since it only knocked out a few websites, but this becomes dangerous once cars, medical devices and home thermostats are connected. Kevin Fu, CEO of Virta Labs, highlighted at the committee that the equivalent of the Dyn attack on hospitals was unpatched heating and ventilation systems.
The October Mirai attack that disrupted heating systems at two housing blocks in Finland illustrated the security-by-design problem.
“The systems targeted were manufactured by Fidelix, whose representative Antti Koskinen stated that vulnerabilities in the systems are opened up when operators configure the devices for convenience,” the authors note, based on Finnish news report at the time. Responding to the attack, the firm managing the apartments, for the first time, installed firewall to filter network traffic to the devices.
Though the report doesn’t mention the Deutsche Telekom attack, it warns that similar attempts to build a botnet, which inadvertently result in downtime for the impacted device, could be adapted in future ransomware attacks.
But the battle against Mirai and others recent examples of IoT malware, won’t be won with quick fixes, such as using a worm to infect devices that are vulnerable to Mirai and either removing the malware or killing the device. Responses like this could be exploited by attackers in future, ICIT notes.
Instead, companies should develop incident response plans, identify critical assets, and run tests against on premise monitoring systems to identify weak points in the network.
ICIT has also called of national over state-based regulation of IoT device security and economic incentives that mandate security-by-design. It also recommends penetration testing of IoT software and hardware according to NIST standards, while holding manufactures accountable for manufacturing insecure products and reducing the dependence on Chinese-made IoT devices.