Hijacked IoT devices succeeded in shutting down part of the internet, just weeks after this type of event was predicted by the KrebsonSecurity news site.
The Dyn attack
But while the unprecedented distributed denial of service attack(DDoS) against Dyn, a company providing key services for Reddit, Spotify, SoundCloud, and Twitter, did manage to knock these companies off the internet for a while, the bigger issue is how to make the millions of IoT devices flooding into the market more secure so these attacks do not happen again.
The attack against Dyn was largely made through botnets that hijacked insecure IoT devices, then redirected them against the designated target. Unlike the classic DDoS attack, where several large sources are turned against the targeted site, these attacks featured millions of hacked and hijacked devices, effectively causing a virtual online death by a thousand paper cuts.
Key points to remember
- There are lots of IoT devices around – and there are going to be a LOT more. Like about 20 billion by the year 2020.
- Many IoT devices make it difficult – if not impossible – to change the default administrator settings.
- A few IoT manufacturers – including XiongMai and Dahua – have been linked to a significant share of the hacked devices.
- The source code for Mirai, the botnet linked to the attack on Krebs and Dyn, has been released to the public, making it simple for wanna-be hackers to step into the game.
The big question is just what should happen next to make these devices – and the Internet – a safer, most secure location. And who can go do it? Is this something for the private sector, a government, or some certified outside agency. The primary options at this time are limited – and only theoretical at this time.
Name and shame – Lists like those posted on Krebsonsecurity could help highlight the issue and push companies to self-regulate themselves as to not damage their reputation. Prior to the Mirai attack, popular awareness of IoT security issues was close to zilch.
Legal action – Entities such as Dyn or Krebsonsecurity could launch a class-action suit against the manufacturers of insecure devices for the losses that their businesses have endured during a DDoS attack. If you can sue a car company for faulty ignition switches or airbags – what about a company that makes loose cannon devices that can fire away at anyone on the Internet?
Government enforcement— The European commission is reportedly working on the requirements needed to boost the security in IoT devices. This could result is a security label something like the energy efficiency labels on refrigerators.
Independent agency – One option would be for an independent testing or certification agency to step in and issue a security rating for IoT devices. This could function like a Good Housekeeping for American housewives or the German crash test from ADAC for motorists.
Just think about it: A less than four star ADAC crash rating can really crimp a car’s initial sales and even the resale value.
In terms of time and political feasibility, I would put government enforcement at the bottom of the list. In addition, legal action might only work in the United States. A name and shame tactic, where companies are “outed” due to the security weaknesses of their products, is the best option so far. So before you buy your next device, take a look at Kreb’s list.
According to an Yahoo article the first company manned up and took its social responsibility in regard to the attack against Dyn: It recalls millions of products sold in the U.S before 2015. Hangzhou Xiongmai Technology which is a manufacturer for web-connected cameras and digital recorders told Yahoo that products sold after that date had been patched and no longer constitute a danger.