In late September, cybersecurity journalist Brian Krebs’ website was overwhelmed by a massive DDoS attack that hit at a rate of 620Gbps, forcing Akamai to temporarily suspend service. In a blog post describing the cyber assault, Krebs said the attack had likely been conducted with the help of a botnet that enslaved a significant number of compromised IoT devices, including routers, IP cameras and digital video recorders (DVRs).
Subsequently, Krebs confirmed that the source code powering the IoT botnet responsible for the attack had been publicly released. According to the journalist, the easy availability of the code “virtually guarantees” that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.
“The malware, dubbed ‘Mirai,’ spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords,” Krebs explained. “Vulnerable devices are then seeded with malicious software that turns them into ‘bots,’ forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline.”
Perhaps more disturbingly, Mirai is reportedly only one of at least two malware families that are currently being used to assemble large IoT-based armies.
“The other dominant strain of IoT malware, dubbed ‘Bashlight,’ functions similarly to Mirai in that it also infects systems via default usernames and passwords on IoT devices,” Krebs stated. “According to research from security firm Level3 Communications, the Bashlight botnet currently is responsible for enslaving nearly a million IoT devices and is in direct competition with botnets based on Mirai.”
Commenting on the recent slew of DDoS attacks, Asaf Ashkenazi, a senior director of product management at Rambus’s security division, notes that it is important for consumers to be aware of the very real threat posed by insecure IoT devices, including connected appliances, routers, IP cameras and digital video recorders. Indeed, unlike PCs and mobile devices such as tablets or smartphones, serious or even critical vulnerabilities are very rarely addressed with firmware updates by manufacturers in a timely manner, if at all.
“As more and more devices go online, the specter of nefarious attackers maliciously exploiting hapless victims looms ever larger. Of course, the overall effectiveness of a DDoS attack ultimately depends on the amount of IoT devices participating in any given DDoS campaign,” Ashkenazi wrote in an October 2016 Semiconductor Engineering article. “Vulnerable IoT endpoints clearly provide attackers with the scalability needed to launch effective DDoS attacks.”
In addition, says Ashkenazi, a new approach, designed from the ground up to provide security for connected devices, is obviously long overdue. One approach to achieving a safer IoT would see devices secured throughout their lifecycle from chip manufacture, to day-to-day deployment, to decommissioning. This can be accomplished with a silicon-based hardware root-of-trust that offers a range of robust security options for IoT devices, including secure connectivity between the IoT device and its cloud service.
“It may also be time to seriously re-examine the current state of DDoS protection on the service side. One possible way of shoring up defenses against costly DDoS attacks would be to bolster cloud service security,” he added. “This can be done by uniquely and cryptographically verifying each IoT device to determine if it is authorized to connect to a particular service. Devices that are not authenticated can be denied access to the service, which would, in turn, reduce the effectiveness (and damage) of a DDoS attack.”