DDoS takedown powered by IoT devices

DDoS attacks are nothing new, nor is it new for Krebs on Security to be a target, but the recent attack that forced the site off the network is reported to have been powered entirely by internet of things devices.

Former U.S. Defense offensive security researcher and founder of IoT cybersecurity company, Senrio, Stephen A. Ridley said that’s no surprise. “This should serve as a serious wake up call that IoT has a serious security problem,” Ridley said.

The world of IoT has caught a lot of attention for the vulnerabilities that occur within network-embedded devices, often referred to as ‘inherent’ vulnerabilities.

[ RELATED: Some thoughts on the Krebs situation: Akamai made a painful business call  ]

But, are they really inherent? If manufacturers are unable to arm their developers with the right tools and security protocols to build devices with security in mind, isn’t that human error? Perhaps.

“There’s nothing specifically about IoT that makes it more vulnerable, but the operating systems on laptops and servers have gone through a decade of end point security,” said Ridley. With IoT, however, is more akin to the systems used on desktops and servers in the 90s.

Because of the inherent nature of the devices being smaller, the operating systems have to do less. Ridley said, “The protection mechanisms we use in modern day operating systems are not used by embedded systems.”

Because security is not at the front of mind or even on the mind at all, enterprises are left dealing with the clean-up after breaches or looking to others for help when they are the victims of an attack. Rather than post attack remediation, Ridley said that there are baseline steps that can be taken to provide better security around building devices.

“We make recommendations through five points. We have found that in looking at these devices we can condense fixes into five major categories,” Ridley said.

Stephen A. Ridley

What are those steps?

1. Improve hardware security. Hardware manufacturers are not thinking about vulnerabilities in hardware as a way to make it easy for an attacker to get at the software. 

2. Firmware security. Perform firmware audits and protect the boot process. The great security success of iPhone is that the iOS that boots inside the iPhone is closely coupled to the hardware. This makes it difficult for attackers to run their own code. That level of security is only possible through a secure boot and custom hardware.

3. Figure out how to do secure firmware updates. When a vulnerability is found in embedded device and patch is made available, the reported updates are somewhere around 10 percent. Firms need to figure out ways to reliably perform updates. 

4. Code reuse. A lot of these embedded devices use custom code made by the manufacturers themselves or by 3rd party software modules that do specific things. A small piece of code with a vulnerability that is reused throughout product line can turn one vulnerability in a commonly used component into an exploitation across thousands of devices. Perform more audits and think about risk. Ask what if a vulnerability is found, and then prioritize what code they audit based on the frequency of use. (Side note: the suggested SDLC frequency is that code audits happen at every change of the code base.)

5. Continuous monitoring. Unlike PCs where servers or desktops are compromised with malware, embedded devices are compromised through abuse, misuse, or misconfiguration. Monitoring devices and the way the devices behave becomes critical.

Ridley said, “Unlike PCs these embedded devices are a little more ubiquitous, which puts the burden of security on the users of those devices. A recurring update feature is an operational cost. Many manufacturers are rushing product to market and not thinking about how to support that product in the future.”

There are also those manufacturers who are being negligent and some other devices that have a challenging environment for updates. “Some medical technology can’t perform updates without it going through another quality release process. That’s an on premises cost, so you sometimes see low adoption with patches,” Ridley said.

So who is taking all of these steps across the different sectors of the security industry? Apparently very few folks. “There are some people doing things right. Some sectors do two or three, but then they get the others really wrong. It’s hard to find a great example of sectors doing all the stuff really well.”

Though many sectors of the industry do pieces well, they are not doing comprehensively well, but Ridley said, “Consumer is the worst sector. They need the product to be cheap, so they rush to market.”

Maybe the revelation of the devastation of an attack powered entirely by IoT will alarm developers and manufacturers across all sectors to make security an IoT priority.