Can the world wide web survive the internet of things? It’s a question many are asking after a vast attack on US and European internet structure last week, likely led by “smart” DVR players and webcams, that has left the tech industry reeling.
And according to experts, unless hardware and software manufacturers band together to improve the security of the open internet – and quickly – more attacks are imminent.
The attack on the internet infrastructure provider Dyn took down sites including Netflix, Facebook, Twitter and the Guardian last week. Dan Kaminsky, lead scientist for the cybersecurity firm White Ops, said the incident should force the tech industry to take a more serious look at its networks.
Back in 2008, Kaminsky discovered a serious vulnerability in the domain name system (DNS) – the way computers name sites on the internet – that became known as “the Kaminsky bug”. Since exposing and helping to mend that flaw, he has spoken regularly about the need for broad and free security measures online.
The attack that disabled websites across much of the continental US and Europe was a distributed denial-of-service (DDoS) attack. Dyn, a major provider of internet infrastructure, was swarmed by data requests from a network of hijacked machines – in this case, hundreds of thousands of hacked devices. Its systems were overwhelmed and its clients, some of the biggest names on the internet, were taken down as a result.
“Nothing survives floods of this nature, existing or theoretical, centralized or decentralized,” Kaminsky said. “It all falls over. The hard questions here are about preventing this sort of exposure in the first place, and about improving our ability to respond and remediate when we do get it wrong.” Prevention and remediation are the only options in the kind of attack that paralyzed Dyn, Kaminsky said.
Kaminsky predicted Friday’s botnet attack would act as a wake-up call. “The unifying principle of the internet is reliability, and systems went down,” he said. “That tends to cause improvement. ‘If we don’t do this, bad things will happen’ is not as compelling as ‘if we don’t do this, bad things will happen again’.”
One frustration among researchers is that DDoS attacks such as Friday’s siege of the Dyn servers are digital warfare of the least intelligent kind. There’s no network breach, merely a host of insecure devices hijacked using simple methods such as scanning open networks for devices using factory-default passwords. The devices are then used to artificially increase traffic beyond a network’s capacity – the computer equivalent of calling every phone in an office building at once, repeatedly.
These attacks have gotten easier as more devices have gotten “smart”; suddenly, people who buy coffeemakers and refrigerators are adding more computers to the internet. It’s unlikely they’re making sure those coffeemakers are defended from malware as well.
The source code for the malware used to press-gang those devices into service against Dyn has been available for mere weeks. The original program, called Mirai, is more efficient and sophisticated software than other botnets, but that bar is low.
Friday’s attacks appear to have been caused by hijacked DVRs and web-enabled cameras, many of which contained circuit boards and software manufactured by the Chinese tech firm Hangzhou Xiongmai. According to the security firm Kaspersky Lab, Hangzhou Xiongmai announced recalls for 4.3m circuit boards used in cameras on Friday. The company blamed users for not changing the default passwords on its devices.
Anthony Grieco, senior director of the security and trust organization at Cisco, told the Guardian at a Monday morning cybersecurity conference in Manhattan that securing every internet of things (IoT) device would be difficult. “Protecting all sources is a real challenge,” he said. “The target, the surface, is where energy needs to be focused.”
Asked whether Cisco should or could harden all its routers against transmitting DDoS traffic, Grieco said the devices themselves should be secured. “I think you get to a conversation about form and function,” he said. “What should a device be doing, what’s anomalous, what’s not, what are the best practices that need to be implemented on those devices – I think that’s what we really need to focus on.”
There are calls for players outside the tech industry to step in, as well: many are calling for the US government to regulate IoT security. Matthew Cook, co-founder of the gaming security company Panopticon Labs, likened the situation to banking industry regulation of computer-based fraud. “The banks spent years trying to inform consumers, and finally the FDIC had to step in and regulate,” Cook said.
In fact, on Friday, as the attack was underway, industry representatives held a prescheduled meeting with the US national telecommunications and information administration (NTIA).
There are few leads in the search for the perpetrators of Friday’s hack on Dyn, but Kaminsky said he hoped companies would begin to think about security as a matter of public benefit rather than as private detective work. “Maybe we look to public health and fire safety. It’s not that they ignore attribution – we still remember Typhoid Mary! – but it’s not their focus, nor the root of their relative success.”