Last week we wrote about a massive DDoS attack on DYN.com that cut off access to Netflix, Amazon, and many other sites for users in large parts of the USA. Now we know that this was caused by IoT devices.
IoT (The Internet of Things) is a technology that is rolling out quickly. What this does is connect everything from smart home appliances to industrial machinery and even physical inventory to the cloud. The idea is to both monitor offices, homes, buildings, traffic, manufacturing, medical patients, and agriculture, but also control those devices.
IoT has taken off in recent years because of the plunging cost of technology and the growth of companies that have made it easier to connect many of these devices to their clouds. Companies exist to let manufacturers and other companies control hundreds or thousands of IoT devices from the cloud. Home IoT systems for the most part operate without a cloud central-control mechanism.
An IoT device is usually some kind of sensor, like humidity or motion, plus a computing card and controller. These computing cards are, for example, Raspberry Pi or Intel Edison computing cards that for the most part run some version of Linux. The cards are not much larger than a wallet.
Since they cards run Linux, they provide a perfect computing platform from which to launch a DDoS attack. The security problem is people often forget to change the password there or are not educated about doing that. The default userid is root with no password for the Edison. For the Raspberry Pi the default user is pi and the password is raspberry.
Consider two examples. The first illustrates a typical home automation system. The second is industrial.
In a home automation system, a user might use a PC to connect security cameras. These home automation systems can also control outdoor lighting and an irrigation system.
That was one of the first IoT ideas. Now there are IoT devices built specifically for the consumer market and people with zero computer skills. These include the Philips Hue light bulbs, refrigerators, and coffee makers.
In an industrial setting, a company might have a diesel powered air compressor running, for example, along a pipeline. Since this machine is far from any power source or network connection it uses a cellular modem to communicate with the IoT cloud. The machine has a gyroscope and accelerometer to detect vibration. It also has heat sensors. When the compressor increases its vibration that is a sign that its filter needs to be cleaned as the diesel engine is having to work harder. When it overheats, obviously that means the engine needs maintenance.
The compressor thus has an onboard Linux computer and a cellular modem. So it is connected to the public internet and could be used in a denial-of-service attack.
Other IoT devices do not have a computing card. And not all are connected to the internet.
There are many ways for IoT devices to connect to an IP network. Some do not connect to an IP network at all, but use other protocols. Those include z-Wave, ZigBee, BLE (bluetooth 4), etc. These are radio signals that are designed to travel only a few meters or centimeters. Some work in a mesh network, meaning they pass their signal to an adjacent device. The device at the end of the mesh network is connected to a router or gateway.
Z-Wave devices are mainly for home usage, like wireless doorbells, window sensors, remote control key fobs, and smart appliances. There are even smart baby diapers, that tell parents when the diaper is wet, and baby monitors.
ZigBee devices include electrical outlets that monitor power usage, door locks, remote controls, and carbon monoxide detectors.
These devices do not usually connect directly to the internet. So you could not launch a DDoS from there directly.
But other devices do. The Chinese maker of an IP camera took their 3.4 million devices off the market after the attack of two weeks ago after its operating system was shown to be subject to a malware attack. Of course once the device is in the field, the manufacturer cannot upgrade its operating system. However other IoT devices are designed to do precisely that, which is one reason the IoT cloud business exists.
The problem with the camera was, as with computing cards and WiFi routers, that users are not changing their default password. Obviously not many people are going to think about changing a password on a camera. Many will not even be aware that a camera has a password.
There is malware too that attacks wireless routers. Studies have shown that these routers become infected with malware within hours of being connected online.
The IoT attack was mainly using the Mirai Botnet, which is a network of 500,000 compromised IoT devices located mainly in China, Hong Kong, Macau, Vietnam, Taiwan, South Korea, Thailand, Indonesia, Brazil, and Spain, says Arbor Networks. It infects these devices by searching the internet for devices that have default passwords.
So the moral to this story is to change the default password on your devices lest they become part of a botnet army. But the problem here is the vast majority of people who buy security cameras do not know much if anything about network security. And there is nothing that security people can do to get these users to change those passwords. Worse, the internet DNS, UDP, and TCP protocols remain vulnerable to DDoS attacks and security vendors have not found a way to stop those.
So this is a problem with no short term solution, and really no long-term one either, as the internet protocols are not likely to change for many decades.