We saw a preview Friday of how fragile the cyber world can be when DNS service disruptions blocked access to many popular websites. This wasn’t a case of stealing data (which tends to get a lot of media attention). Instead, the Dyn DDoS attack achieved its goal of disrupting access to internet services. As I’m sure readers know by now, Dyn is a major DNS host whose customers include some of the biggest names on the internet including Twitter, SoundCloud, Spotify Reddit, and a host of others.
The Dyn DDoS attack comes shortly after a pair of other massive DDoS attacks. The first targeted security blogger Brian Krebs’ site in mid-September. A couple of weeks later, French ISP OVH was the victim of a DDoS attack which generated over one terabyte per second of traffic.
First, these attacks exploited IoT vulnerabilities through devices such as webcams and DVRs, turning these devices into an army of “bots” overwhelming Dyn’s systems with noise. This wasn’t a matter of identifying complex IoT vulnerabilities in the software driving these devices. Instead, it relied on the fact that manufacturers and users of these devices are usually clueless about fundamental security activities. In this case, the attackers enlisted IoT devices that used default user names and passwords (user error for not changing these). Worse, it appears from Krebs’ post that the devices can be co-opted via Telnet and SSH commands even when a user changes the password.
The affected devices are not necessarily sold directly to consumers. For example, the cameras may be sold to OEMs who use the camera as a portion of their own solution. If we assume (safely, I believe) that the OEMs are no more sophisticated about security than the camera folks, we increase the likelihood of exploitability and reduce the likelihood of these devices getting fixed - EVER.
The frequency with which this is happening and the growing size of the attacks leaves open the question of “why” and “who.” Dyn confirmed that the DDoS attack was based on the Mirai botnet code – just as was the attack on OVH and Krebs’ site. The author of the botnet released the code to the public in late September, meaning anyone could be responsible for the attack on Dyn.
It’s not always about the data. Attacks that result in stolen credit card data or personal information are often in the headlines. But data loss isn’t always the worst case scenario, which is why we discuss security impacts using metrics of confidentiality, integrity (of data/systems), and availability. Each application is different, and the technical impact from various attacks needs to be considered during threat modeling and when risk ranking vulnerabilities. In this case, availability was the critical issue. Amazon and Netflix likely lost revenue from customers unable to complete purchases, and Twitter and Spotify couldn’t deliver advertisements at an optimal rate.
This attack vector affected a large number of IoT devices, but is unlikely to be the only available method for attackers. The lack of security maturity demonstrated by IoT vendors is likely to show IoT vulnerabilities to be the norm. Consumer IoT is a cost-sensitive market, and the vendors will use open source operating systems and components liberally. Will they track these components to ensure that those with known vulnerabilities and public exploits are avoided? As new vulnerabilities are disclosed, do they have processes for alerting and updating deployed devices?
The EU is contemplating security standards and labeling, which would attempt to raise the bar and put accountability on the table. The problem, of course, is that security testing for software is very different than CA or UL testing. The latter are based on physics; you can prove that a mining lamp is “intrinsically safe” based on specific criteria. Software security changes as new vulnerabilities are disclosed.
In many ways we should be glad for these wake-up calls. We are increasingly dependent on the internet, not only for commerce, but for our safety. The Dyn DDoS attack demonstrated how an attacker, using publicly available attacks and IoT vulnerabilities, can exploit an increasing population of unsophisticated and unsecured devices to affect our critical infrastructure.