Bottom Line: Consumer IoT devices are being used for DDoS attacks, which were launched from hundreds of thousands of connected devices. The infected devices lack even the most basic of security measures and in some cases device manufacturers are being held accountable. ISPs have useful visibility into network traffic and the IP addresses of offending devices, however it is too costly and complex for ISPs to respond. Enterprises are vulnerable from both insider and external threats and require security solutions that use network monitoring, heuristics and machine learning techniques to identify and mitigate threats.
Consumers across the globe are eager to
capitalize on the Internet-of-Things (IoT), to
monitor, manage and control their electronic
equipment over the Internet, through cloud
services and from their smart-phones. The
range of consumer electronic devices being
connected to the Internet are vast and include
surveillance cameras, smart televisions and
DVRs, residential thermostats and other home
convenience and security devices. These
devices can be purchased from consumer
electronic stores and provide convenient plugand-play
capabilities for rapid deployment. This
seemingly ideal solution for consumers has
created significant challenges for Internet
security. Most notably, devices are often
shipped with remote access capabilities
enabled and with default administrative
security credentials, which are seldom changed.
The devices are vulnerable to attack, with the
attacker having access to the administrative
functions of the device.
Once an attacker has access to a consumer electronic device, the attack surface depends on how well the device itself is protected. For example, devices can be protected if:
Unfortunately, however these and other basic security features are commonly excluded from consumer electronic devices. Device manufacturers are incentivized to rapidly produce low cost devices, with security largely being an after-thought.
While insecure IoT devices are vulnerable to a
variety of attacks, including as ransomware,
reconnaissance and eves-dropping, the devices
are also being weaponized to attack the
Internet with Distributed Denial of Service
(DDoS) attacks. Specifically, once an attacker
has infected a sufficient number (i.e. tens or
possibly hundreds of thousands) of IoT devices
with command and control capabilities, an
attack can be launched by having these devices
flood traffic to critical Internet infrastructure,
such as Domain Name Servers (DNS). Since
DNS servers are responsible for translating URL
addresses (such as https://www.google.com)
into IP addresses (such as 22.214.171.124),
many websites are disrupted when the servers
are successfully attacked. For example, on
October 21, 2016, Dyn, which is a DNS now
owned by Oracle was crippled by a massive
DDoS attack, which impacted several highprofile
websites including GitHub, Twitter,
Reddit, Netflix and Airbnb. The attack was
attributed to the Mirai botnet, which had
spread itself across insecure IoT devices.
The Mirai Botnet was not the first DDoS attack of its kind, but it has gained widespread recognition because of the devastating and widely publicized impact that it had on the Internet and several high-profile consumer Internet services. Since the attack, Mirai has been published as open source and is being adapted and incorporated in other malicious software. For example:
We believe that we have only seen the 'tip-ofthe-iceberg'
of the IoT DDoS security threats,
particularly as the industry marches towards
the Internet-of-Everything. While it is
impossible to eliminate IoT led DDoS attacks,
many of the attacks today are a consequence
of basic vulnerabilities, most notably the poor
management of security credentials and
remote access functionality. In their defense,
some device manufacturers have increased
their attention towards device security, but
more focus is needed in making security
inherent to device designs.
Efforts have been made to place accountability with IoT device manufacturers for selling insecure products, making them potential lawsuit targets and forcing product recalls. For example, in October 2016, Xiongmai an IoT device manufacturer issued a product recall after it was discovered that many of its devices were behind DDoS attacks and that the products lacked basic security features, such as effective password management. By the time the vulnerability was discovered and product recalls initiated, it is believed that several million devices had been hacked. In January 2017, the United States Federal Trade Commission (FTC) took legal action against DLink for allegedly not implementing adequate security in its wireless routers and Internet cameras. It is conceivable that the FTC case could set a precedent for legal action against other device manufacturers in the future.
The European Union (EU) has mooted a certification scheme to identify and label devices that it deems secure. However, we believe the challenge with this approach is that security vulnerabilities and attack vectors are continually changing. This makes it unlikely for a device that is secure at the time of manufacture to remain secure throughout its deployment lifecycle (which is often more than a decade). Furthermore, we believe that when devices are deemed secure by the EU's scheme, they might become targets for hackers.
Internet service providers (ISP) can play a greater role in protecting the Internet from infected devices since they have network traffic visibility and can associate their subscribers with IP addresses. However, device quarantining would be costly and complex for ISPs and difficult to manage given the volume and global distribution of attacks, and the complexities in pinpointing IPv4 devices that have alias addresses. Quarantining would also create customer service challenges and potentially have a negative impact on the ISPs brand and market reputation.
As security stakeholders including security professionals, enterprises, service providers and technology companies respond to IoT security threats, new tools are being crafted and security taxonomies developed, see Exhibit 1. Security professionals are focusing attention towards the existential threats from IoT devices and methods to rapidly identify and mitigate the impact of attacks when they occur.
Enterprises are encouraged to monitor network traffic, recognizing the potential for both external and insider attacks. They are also encouraged to introduce strict security policies for IoT devices by ensuring that they are patched with the latest software updates and operate on independent subnets. Service providers are introducing technologies for monitoring application and network traffic to identify potential attacks. Emerging heuristics and machine learning solutions are playing an increasing role in security, and are needed to address the porous and dynamic security environments that is increasingly becoming a hallmark of the connected World..
Exhibit 1: Stakeholder security motivation, risks and mitigation
Source: 3GPP and Tolaga Research, 2017