Why Threat Prevention on IoT Devices is Almost too Hard...
The Mirai botnet was responsible for the October 2016 attack that brought down much of our internet. The victim was Dyn, a company that provides DNS service. Distributed Denial of Service (DDOS) caused the outage, and up to 100,000 malicious endpoints were used for the attack. The malicious “endpoints” were IoT devices – digital cameras and DVR players that were connected to the internet.
What made the attack so easy to execute was the 1) availability of IoT devices with default username and passwords (some were hard coded) which could easily be compromised and 2) availability of DDOS tools. Yet the attack was not as easy to try to prevent because of the massive scale of the attack. Brian Krebs mentions in a recent post about the availability of VDOS for hire, which is “virtual hired muscle that can be rented to knock nearly any website offline.”How could this have been prevented? What can we do in the future? The standard guidelines for defense against DDOS include:- disabling unnecessary services- using anti-malware- enabling router throttling- using a reverse proxy- enabling ingress and egress filtering- degrading services and- absorbing the attack
The cryptographer, Adi Shamir, suggests; “The government should definitely do something about it - they should not allow devices which are not sufficiently secure to be connected to the public internet.” Bold statement but very true. Security is not something built into many IoT devices since that's not what they are "designed for." I mean logically speaking, why would a refrigerator need security measures built in? Well, if it has an internet connection, why shouldn't it?Question: How do you prevent this? What’s to stop me from connecting anything to the internet?To begin with, we need better quality control. Period. Any device with hardcoded credentials should not be allowed into the market. That should solve 50% of the problem. The other half can be addressed by user awareness, better software, regular device updates. If my Android phone can be connected securely to the internet, so can my camera or DVR.What are your thoughts or plans for improvement? Comment below, please.
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!