The massive distributed denial of service (DDoS) attack that blocked marquee sites such as Paypal, Twitter, the New York Times and AirBnB for hours on the morning of Friday, October 21st, used enslaved Internet of Things (IoT) products to do its dirty work.
The IoT devices were infected with a virus that made them flood the servers of Dyn, one of the directories that translates website names into numerical IP addresses, with zombie queries that blocked legitimate internet traffic. Without knowing, for example, that the netflix.com servers can be reached at address 220.127.116.11, computers were not able to stream movies.
The attack was historic both for the sheer number of devices involved—around 100,000—and how easy it was to avoid. Analysis by Flashpoint suggests it was unsophisticated enough to be done by script kiddies just looking to cause trouble. And the huge number of unsecured IoT devices currently connected to the internet made it all too easy. In this case, the zombie slaves were DVRs and webcams. We don’t mean to scare you, but any unsecured device can potentially be infected. Don’t add to the din! There are measures you can take to make sure yours is better protected.
1 – Look out for Linux.
Many IoT devices are easy marks. The webcams and DVRs that were hacked into, for example, use Linux, an open-source (i.e. free) operating system. The loosely-restrictive licensing terms of Linux allow its use by students and hobbyists for educational purposes and also by commercial developers for incorporation in products, and by incorporating Linux an engineer can easily create an internet-connected product. Unfortunately, many common versions of Linux have serious security issues.
But Linux can be used securely. As the Internet evolved and it was apparent that every connected device would be exposed to hackers, Linux was hardened and secure alternatives were created for all the important unsecure applications. However, Linux is still distributed with a melange of legacy network applications and their modern replacements.
The attack was historic both for the sheer number of IoT devices involved—around 100,000—and how easy it was to avoid.
When used in an internet-connected product, it is crucial that all the older, inherently unsecure network applications are disabled or they can and will be attacked and eventually compromised. The webcams that were hijacked and used in the Dyn DNS DDoS attack allowed Telnet access, an early and unsecured application. In fact, the 100,000 webcams all had the default username and password, admin/admin, that was set in the factory. Which brings us to our first defense tactic—the telltale password!—when designing Internet of Things devices.
2 – Don’t give 100,000 devices identical usernames and passwords!
It’s tempting to give your devices the same default password that can then be changed by the user…but most users never will, and your products are then at risk of becoming a zombie army doing someone else’s bidding. Make unique passwords and encryption keys. The best practice uses a production station in the factory to write certificates containing unique keys for each device.There’s actually a search engine named Shodan that scans the Internet looking for unsecure devices. It now has a database on nearly 100 million webcams, routers, power plants, wind turbines, refrigerators and the like. Anyone can use Shodan to search for webcams and retrieve a list of devices made by a specific manufacturer or having the username/password of admin/admin. Shodan also finds other vulnerabilities and lists them, which leads us to our next point.
3 – Don’t leave any superfluous openings that an attacker could exploit.
The older applications like Telnet included in a standard Linux package are just one example. When developing software for connected devices, we take a ground-up approach where we carefully determine which IP communication protocols we can safely use, and only include those protocols in the product, using well-tested components. That way, the programs that crawl the Internet looking for devices with open ports will not find any superfluous ports vulnerable to an attack.Whenever possible, we use the latest version of Transport Layer Security, the cryptographic protocols that provide end-to-end encryption and mutual authentication. Our products support and allow only encryption and authentication algorithms deemed secure. That can prevent attacks where one side negotiates down to a less secure algorithm – another common exploit that an estimated 33% of all web servers remain vulnerable to. We also do extensive software testing to find and fix errors and vulnerabilities.
4 – Only allow secure over-the-air (OTA) software updates.
We use strong security algorithms to encrypt and authenticate the files the device is allowed to retrieve over the Internet from the file servers in the cloud. Files must be cryptographically signed by the manufacturer. If the IoT device does not “recognize” the manufacturer’s digital signature, we make it intrinsically incapable of decrypting and loading the new software.
No defense is impenetrable, but by following these best practices, you can protect your IoT device from vampires wanting to suck their processing time, ghosts in the machine, and malicious slavers looking to create a zombie army.
Read about our Connected Device Design expertise.