In the last few years, distributed denial of service (DDoS) attacks have increased in sophistication and size. In fact, last month’s attack on Dyn DNS demonstrated the impact DDoS attacks can have on the Internet at large, affecting the availability of such sites as PayPal, Twitter, Amazon and Netflix, to name a few.
Much of the coverage centered on the Mirai botnet to carry out the attack. Mirai is the first major example of using Internet of Things (IoT) devices to carry out widespread DDoS attacks. Given the proliferation of IoT devices, conventional wisdom holds that attacks facilitated by IoT devices will dramatically increase in the future.
But is this really true?
The term, Internet of Things, encompasses a diversity of devices, including everything from smart TVs to wireless-enabled pacemakers to networked industrial control systems. With Dyn, Mirai targeted IoT devices running a common set of firmware with unchangeable log-in credentials. In particular, Mirai leveraged closed-circuit television (CCTV) and related systems produced by a single manufacturer, Hangzhou Xiongmai Technology. From KeyW’s experience, IoT systems that are part of Mirai differ from most modern IoT systems in two very important ways—network protection and cloud-based services.
CCTV systems monitor facilities and people. Originally, these systems fed data to a central monitor that had to be physically watched or fed to tape. Over time, they gained Internet Protocol stacks, allowing users to monitor cameras remotely. However, to facilitate access, many systems are placed directly on the Internet without a firewall or Network Address Translation (NAT) for protection, opening them up to remote attack. And in the case of CCTV systems, hard-coded usernames and passwords make remote compromise trivial, thereby facilitating their use in a botnet.
Mirai is formed from directly connected devices. For example, IoT refrigerators, TVs, pacemakers and light bulbs are primarily behind firewalls or may not even have the ability to connect to the Internet at large. While some modern IoT devices will be placed directly on the Internet, this is, by far, the exception and not the norm.
The power in many modern IoT devices isn’t in the device itself but in the device’s connectedness to cloud-based services. Although the Mirai CCTV systems were designed to be accessed over the Internet, other systems, such as Google’s Nest, let the device and users connect to a cloud service that allows remote monitoring. Smart TVs, cars, smart watches and intelligent light bulbs all rely on a central cloud-based service to provide their IoT magic.
Cloud services are a new attack surface to be exploited. While it’s unlikely they’ll be used to create a botnet, these central services are keystones in an IoT system’s overall security. A cloud service with vulnerabilities can compromise all devices and users of an IoT device.
Put in simpler terms, compromising the weakness in a refrigerator that requires you to be on the same physical network to spoil all of the food in a single refrigerator is interesting. Compromising the cloud service that the refrigerator talks to in order to spoil all of the food in all of the refrigerators is dangerous.
The Mirai botnet brought concerns about IoT security to a new level of prominence. However, we shouldn’t let the specifics of Mirai affect our thinking about IoT security. Although the current risk of DDoS—because of poor device security—is interesting, it’s not the long-term risk we should associate with IoT devices.
Centralized services that make IoT useful and compelling to consumers are the real risk in IoT architectures. Risks due to endpoint vulnerabilities must still be managed because attackers behind a firewall can leverage them for lateral movement and persistent access. Organizations must ensure the security of endpoint and central services to avoid letting security concerns interfere with the opportunities that IoT presents.
KeyW has years of experience in securing systems of all shapes and sizes, including working with small and large organizations alike to develop and deploy secure IoT products. Shoot us an email if you’re interested in furthering the discussion or offering another point of view.