In my previous two posts, DDoS and The Broken Internet and The Internet of Hacked Things, we discussed how there are some critical flaws in key services and internet infrastructure that easily allow attackers to cripple large portions of the internet, as well as highlighting how IoT is really the Internet of Vulnerable Things as manufacturers and consumers fail to properly secure these devices. These devices are then easily gathered into massive botnets, which can then be used to exploit the cracks in our infrastructure’s armor.
For all we know, Mirai, or some other massive botnet, could suddenly become self-aware, and then we’re on the path to Skynet and Judgement Day, right?
Now we know what the problem is. So, how do we fix it before we are forced to bow to our IoT overlords?
Who is ultimately responsible?
Some of you wondered if this was an engineering versus marketing problem. The classic battle between engineers and/or designers who want their product to be polished and ready for market, and marketing execs who just want the revenue from getting the product on the shelves as quickly as possible, a few flaws be damned. Nobody can deny the rapid and unfettered uptake of these devices, which are now in the wild numbering several million.
Others blamed the consumer, the person purchasing and installing the IoT devices without “reading the fantastic manual” and properly securing the device from the treacheries of the internet. A problem borne of ignorance. How could we expect the average non-techie consumer to be aware of SSL vulnerabilities?
Security of the IoT, and key internet services as a whole, has to be handled with a layered approach. The mandate of everyone involved, from the designer, manufacturer, consumer, and network operator, should be to ensure that they each are doing their part to secure their piece of this puzzle from continuing to allow massive DDoS attacks to destabilize large sections of the internet.
Designers have to balance ease of use and convenience with security. While it might be convenient to have Telnet and HTTP services on a device, so users can easily configure or manage these IP-enabled devices, it’s irresponsible to have these types of unsecured services exposed to the internet, often with well-documented default passwords. At a minimum, encrypted services like SSH and HTTPS should be used, and the use of default passwords should require a forced change. Hard-coded passwords that cannot be changed are a major foul. Ensuring the use of the most recent and patched versions of these protocols should also be required.
What about a governing body, like the FCC in the United States, or the CRTC in Canada, getting involved to qualify these devices? We’ve all seen the FCC/CRTC stickers on wireless devices, showing the devices meet standards set forth by these agencies, certifying them for use under proper regulations. Why can’t we apply this model to IoT devices, and require they are put through a proper vetting and testing process before being allowed to market? This would keep designers and marketing execs accountable for the products they are putting on shelves, and give the average consumer some comfort in knowing they aren’t inadvertently adding to the problem when purchasing one of these devices.
Service Providers of all types (Internet, DNS, Hosting) need to ensure their infrastructure is not only secure, but resilient, and able to mitigate DDoS attacks before they ever impact their customers. This means investment in their infrastructure and careful monitoring of traffic flow across and through their networks. Top tier providers really have no excuse, they know they are high priority targets, and they should do everything in their power to prevent the negative impact of these attacks.
Enterprise network operators rely heavily on their Service Provider partners to perform their due diligence and clean up a lot of the internet trash thrown their way before it even hits their network edge. That doesn’t remove their responsibility, however, and enterprise networks should be designed and built with as much resiliency as possible, so that if one of their service providers is attacked, or any attack traffic gets through directly to them as a target, that there are backup services in place to allow uninterrupted business traffic flow.
Don’t be part of the problem! Monitoring your own network for compromised endpoints is also critical. Tools such as Solarwinds’ Long & Event Manager can assist with identifying traffic aimed at botnet CnC servers, and identify compromised devices that you can then patch or remove.
A microcosmic layered approach is beneficial as well. A first line of defense that includes cloud services that scrub and pre-filter traffic, followed by deeper levels and layers of defense, such as load balancers, firewalls, IPS, and application filters/firewalls, are all pieces of the protection puzzle that should be integrated.
It’s unlikely that the folks behind massive DDoS attacks like the ones aimed at Brian Krebs, Dyn, or Akamai are going to get bored and stop on their own. It’s equally unlikely that we’ll ever find a single magic bullet that fixes all of the issues with our underlying infrastructure. So, we need to plan for these flaws and ensure that everyone involved has some measure of protection, and that the majority of the malicious traffic can get dumped or filtered out before it has any major impact to the end-user or customer. This can only be accomplished with a multi-faceted approach at all levels of the internet.
We’ve seen attacks over 600Gbps, and current projections of the Mirai botnet speculate that attacks exceeding 1Tbps are presently possible. It seems to be an arms race, and the only way to stop the attackers from continuing to gain strength (literally) in numbers, is to secure IoT as much as possible and limit the attack surface of our own networks.
Are there any other individuals and/or groups that need to be held accountable for the security of IoT?