Jennifer Dean, Enterprise Security
I’m sure more than a few of you were affected by worldwide Internet disruption that occurred in early Ocotber. Netflix, Twitter and CNN were just a few favorite sites crippled by a DDoS (Distributed Denial of Service) attack. In a situation reminiscent of the 80′s Stephen King movie Maximum Overdrive, the machines attacked and wreaked havoc on our online lives.
It was only a matter of time before there was a widespread attack on IoT (Internet of Things) devices. First, many of these devices lack strong security, having hardcoded or default user names and passwords, making them ripe for the picking. Second, because of the sheer volume of internet-connected things, IoT-targeted attacks have the potential to be massive and widespread.
Last weeks DDoS attack was the largest of its kind in history, involving more than 100,000 malicious endpoints and striking with beast like strength at 1.2 terabytes per second. DDoS attacks are not new, think back to a spoiled 2015 Christmas for Xbox Live and PSN players. What makes this attack unique was its use of things to wage the war. The malware associated with this attack, the Mirai botnet, set its sights on IoT devices such as routers, DVRs, and digital cameras, many things we have in our homes and offices. The Mirai botnet scanned the Internet for IoT devices with weak security standards (speaking again of those hard-coded or default user names and passwords). Exploiting these, the botnet infected the devices and directed them to a control system, where they prepared to do battle, hammering websites with traffic to try to take them offline.
The direct target of the Mirai attack was DNS (Domain Name System) service provider Dyn. Dyn controls the majority of the Internets DNS infrastructure and provides services to some of the most visited websites. So when Dyn was hit, the damage trickled down to its millions of customers, including Amazon, Spotify and Reddit. But Forrester has a slightly different take on the situation. The research giant blames poor planning on the part the brand giants themselves, saying businesses are careless to depend on a sole DNS provider. But is it feasible to have more than one DNS provider? Many businesses will say no because of cost or complexity to the IT infrastructure.
Experts also point a finger at the manufacturer of the devices themselves. Compromised digital video recorders (DVRs) and IP cameras made by Chinese manufacturer XiongMai (XM) are targeted as the primary culprits. XM white labels these components that are sold down the line to many different vendors who use them in their own products. Again, we go back to the password issue. Shockingly, passwords are hardcoded into the firmware of these XM products and users are unable to change them. XM issued a statement on social media Monday after the attack, saying it would be issuing a recall on millions of devices, mainly its network cameras.
Now that the gate has been opened for large-scale attacks on things, we need to focus our attention on how to secure the quickly expanding world of IoT. Vendors of these devices need to, at the very least, ensure they are protected with dynamic passwords. But to really ensure something like the Mirai botnet isn’t able to infect these things, manufacturers must secure the communication between the devices. Between one device to another and to the master device. So, how do we ensure communication is secure and will not be intercepted or altered? Basically, there are four critical points to consider, which are outlined below. And you can read much more about IoT security in our ebook, A Safer Internet of Things.
Four fundamentals to ensure IoT security:
- Authentication/Identification: Each device needs to reliably identify itself and prove that it can securely communicate with other devices in the system. This can be achieved using a combination of digital certificates and hardware-based anchor of trust. Strong user authentication should also be implemented to control user access.
- Confidentiality: Encrypt all data, in physical networks, virtualized environments, the cloud, or in motion, to protect it from unwanted disclosure. Data encryption obscures vital information, making it useless even if it is compromised. Only authorized recipients will be able to decrypt the content.
- Integrity: It is important to protect data from unauthorized modification such as malicious code injections. Code signed with digital certificates can be used to verify the integrity of the data and make sure that the content has not been tampered with or altered during transmission.
- Non-Repudiation: This serves as irrefutable proof of the validity and origin of all data transmitted. Digitally signed documents and transactions using hardware security device can provide strong non-repudiation for the date and origin of transaction.
The Mirai DDoS attack is an scary indicator of the weakness of some IoT security. But the good news is, certificate-based authentication smart card solutions and Hardware Security Modules can help ensure safe communication between things to help prevent a Stephen King book from coming to life.
Blogger bio: Jennifer Dean, Enterprise Security, Gemalto
Jennifer Dean is a new member to the Gemalto team, having spent the past five years working in financial services. She is happily digging into the much more exciting world of digital security, including online authentication and the challenges IT professionals face to keep systems protected without completely antagonizing users.
For more information please visit www.gemalto.com