Late last week, 100,000 compromised connected gadgets helped anonymous attackers launch a massive and sustained DDoS attack. Malware called Mirai took control of the devices to direct large amounts of traffic, potentially as much as 1.2 Tbps, at Dyn, a DNS service provider that routes traffic requests to multiple major websites, including Twitter, Amazon, and Netflix. Those sites went offline for hours on Friday, resulting in a lasting black eye for both affected services and the internet at large. While Dyn remedied the initial incident by Saturday morning, Mirai source code remains online and open to anyone else who wants to try compromising additional devices and carrying out another attack.
Security researchers have warned for years about an attack of this magnitude as more gadgets come online and become obvious targets for hackers. They’re notoriously difficult to secure because of dizzying supply chains, general disinterest or knowledge of security on the consumer end, and the design of the devices themselves. Now those problems are more urgent than ever, so how do we fix current and future devices to prevent an even larger attack on the internet?
researchers saw this coming
Possibly the biggest security challenge is the complexity of the supply chain. Most anyone can go out and build a gadget that connects to the internet using components and software from various manufacturers. Check out the 3,000 webcams available on Amazon, for example. The complicated supply chain results in a webcam or other device with a chip from one factory, software from another, and sensors from somebody else. This makes it difficult to trace back parts and determine whether certain gadgets might be vulnerable.
Following last week’s attack, researchers tried to determine who made the affected gadgets. Flashpoint identified Chinese electronic company Hangzhou Xiongmai as the creator of affected IP camera and DVR boards, which ended up in various white-label products. Those devices, researchers allege, comprised the majority of devices Mirai compromised because Xiongmai’s parts came with a default username and password. Those defaults may have made it easier for Xiongmai to access devices and provide seamless customer support, but because Xiongmai didn’t force users to change their logins, they were easy targets. Mirai used only 62 login combinations to brute force all the compromised devices. Xiongmai recalled webcams released in the US, but it isn’t clear whether that recall will have much of an effect. Mirai infections were at an all-time high after the recall, according to MalwareTech. Plus, the components were the problem, and again, a sticky supply chain makes it hard to determine what devices might be impacted.
both software and hardware pose problems
Software isn’t much easier to keep secure. Most devices can’t be patched, and software almost always has flaws. "There’s no way to patch [some devices] remotely, or no way of patching at all," Martin McKeay, senior security advocate at Akamai, told The Verge. "That’s where a lot of the problems we’re seeing now are going to stick with us for a while. We can’t patch the IP cameras, and we can’t patch the DVRs."
Even if patching were an option, users would have to check whether their device is up-to-date and then take the time to patch. That’s often a struggle, McKeay says. The interface of a toaster doesn’t prompt someone to update. Our laptops and phones send push notifications, but it’s entirely possible that someone will never see an update reminder on their connected lightbulb. "It’s really difficult to get consumers to think of their toaster like they think of Windows and to regularly install patches for it," says Matthew Prince, CEO of Cloudflare. "I am skeptical that we are ever going to be able to get people to update the devices in their homes on a regular basis because we all learned how to interact with a toaster, and it takes a long time to unlearn that."
If users don’t patch and manufacturers struggle to keep the supply chain clean, both McKeay and Prince suggest considering an additional network layer of security. Network-layer security puts an extra barrier between gadgets and the public internet. Whoever owns that network can monitor traffic going in and out and make adjustments, like blocking abnormal behavior or pushing an update out to devices. A third-party company, gadget seller, or even an Internet Service Provider could provide this network. Installing that monitor at the ISP level might raise surveillance concerns, but at least working on the network level means that if the IP address that’s issuing commands to compromised devices is known, traffic from there can be blocked. Relying on a third-party company requires trust and a continued service cost, typically on the part of the manufacturer. A manufacturer, like Google, could alternatively deploy its own network for its Nest cams, for example, which might be the best solution, especially for tech companies with fiscal and personnel resources. If a device needs a patch, it’ll go out across the network immediately, as opposed to through user-initiated updates. Prince points out that critical infrastructure and cars already deploy this kind of security solution.
Although individual users can individually segment their gadgets off from the rest of their network, it hasn’t proven to be an effective or practical strategy. The burden of security and patching may have to ultimately be taken off the consumer and put onto companies. Until then, attacks like Friday’s will still be a threat.