Late last week we saw a particularly large DDoS attack against DNS provider Dyn which took down many of our favorite websites including Twitter, Amazon and Netflix. This attack has been getting a ton of attention due to its high profile victims and ultimately what experts are pointing to as the cause.
While investigations are still ongoing, many are attributing the attack to a new botnet of “Internet of Things” devices. As an IoT vendor, this is obviously not something we want to hear. But looking a bit deeper, I began to wonder – is the IoT really to blame? Let’s look at what we know.
The origin of most of the botnet traffic seemed to be generated by the new Mirai malware which primarily targets IoT devices – not a great start. While it is true that IoT devices seemingly were turned into bots for this attack, it’s important to note that they were not the cause of this attack. Mirai doesn’t care if a device is “IoT” or not, but rather looks for devices that are accessible to the public internet with weak login credentials – showing us the true culprit – weak access and security credentials.
In further examination of Mirai we noticed that most of the affected devices were not what we would normally think of as modern IoT devices like a Nest thermostat or Lutron lighting system. In fact, many of the “devices” that are targeted by Mirai are things that everyone already has as part of their home network — internet routers, modems, printers, and DVRs. The designers of Mirai are taking advantage of long known vulnerabilities of older technologies that have been working on the IoT for years. The reason being is that smart cybercriminals would rather focus on devices with widespread adoption that most of us don’t think twice about – why? Because they are unsuspecting and unassuming. No one thinks their DVR could be a vehicle for a mass take down. The truth is if it is connected to the Internet it is vulnerable to security breaches. But that is true for all technology not just this new wave of IoT devices.
If anything, what happened last week should be a real eye-opener for companies looking to connect their products. As the IoT industry matures and adoption becomes more widespread these devices very well could become targets for cybercriminals – and we need to be ready. Security has become more and more paramount and security breaches continue to reinforce the need for rigorous security assessments at the outset of any IoT project. If we’ve learned one thing from this attack and the others before it, it’s this – security shortcuts, like weak authentication, only lead to long term headaches. Consumer confidence gets shaken and can ultimately lead to debilitating consequences for an entire industry.
While no one is denying that last Friday’s DDoS was not the best day for internet users I urge us to be careful before attaching the blame fully on the IoT. It’s possible for us to build a vast ecosystem of connected devices and keep them secure. All we need is the right priorities, right tools and the right processes.