Lane Thames, Software Development Engineer and Security Researcher
Tripwires Vulnerability and Exposure Research Team (VERT)
Over the last few months, the cybersecurity industry has been observing some very interesting trends, including an uptick in distributed denial of service (DDoS) attacks with unprecedented rates of associated traffic. Moreover, these attacks are not taking advantage of amplification techniques, which have been the most prevalent types of DDoS attacks in recent years. Instead, the attacks are just flooding links with traffic generated from the sources, the traditional way of implementing a DDoS. Lastly and most concerning, is that the attacks have been largely comprised of Internet of Things (IoT) devices from all corners of the globe.
We have known for a long time that IoT devices would eventually come into play in the cybersecurity game. On average, IoT devices are inexpensive, and this is based on their target market, which today are mostly made up of home users. As a result, manufacturing organizations have little financial margin to invest in building IoT devices with higher levels of security as this an expensive process.
The average consumers of modern day IoT devices are not technologists who understand how to secure a network connected device. So, if an IoT device does have a security control, for example authentication via a username and password, it is usually not configured correctly by the end user. Further, being inexpensive means that larger numbers of devices will be purchased by the consumer market, which leads to scale. Security practitioners have known for a while now that massive numbers of inexpensive and highly insecure IoT devices were going to start popping up all over the Internet. That time has now come to pass. It has brought us to a point of computational scale that, if leveraged successfully by cyber criminals, can lead to massive disruption of service across the Internet ecosystem. Unfortunately, it appears that cyber criminals are indeed able to leverage this computing power.
The recent DDoS events of the past few months were spurred by IoT botnet malware source code that was released back in 2015. You might have heard the terms BASHLITE, Lizkebab, or Gafgyt these are various names of the botnet malware and its variants. This code was used to create the so-called LizzardStresser botnet whose success inspired many other cybercrime organizations to pursue similar endeavors. In September, one of these botnet malware variants was used to invoke a very massive scale attack targeting the well-known security blogger Brian Krebs, with traffic volume surpassing 620 gigabits per second.
A few days after the attack on Krebs, source code for new IoT botnet malware named Mirai was released, and this led to yet another very large-scale DDoS attack in October that targeted Dyn, a technology company that provides DNS and other Internet services. The attack disrupted Dyns ability to provide DNS to its customers which, in turn, caused websites such as Twitter, Amazon, Reddit, and Spotify to become unavailable.
DNS is critical infrastructure for the Internet. The thought of a bunch of web cameras, routers, WiFi switches, and such (i.e., IoT devices) being able to take down systems that are vital to the Internet is just downright scary. These botnets have been successful enough to encompass hundreds of thousands (and some speculate over 1 million) IoT devices. Consequently, with a cyber army as large as this, it is no surprise that we are seeing such unprecedented rates of DDoS attack traffic that can break part of our Internet infrastructure. Unfortunately, the situation will not abate, but likely get worse because more and more IoT devices will continue to come online, and device security is not likely to move in the right direction for quite some time.
Where Do We go From Here?
Building a highly secure device is not easy; security is a hard problem. In order to make headway, we must focus on the two main aspects: the technology component and the human component. Overall, the cybersecurity industry is making progress advancing the technology needed to alleviate various aspects of security pain points. However, until society starts to address the human component of this problem, the good guys in this game will continue to lag behind the bad guys.
How should society address the human component? One solution: education. At this time, our educational ecosystem is really failing in this area. Indeed, there are good educational programs out there for those who want to work in the cybersecurity industry. However, I believe that we have to go further. Living in the highly digital and interconnected world of near tomorrow, enabled by the IoT, is much different than the connected world we live in today. In the near future, IoT devices and, more importantly the data collected and processed by IoT devices, will influence our lives in a way that is hard to even predict.
The DDoS attacks mentioned above are scary, but that is just low hanging fruit. The really scary scenario is when the bad actors figure out how to exploit the data-driven aspects of tomorrows IoT the same data-driven aspects that influence our every action.
If we want to make an impact on the cybersecurity of our future world driven by IoT devices and associated data, we have to dive deeper into the human component. In the short term, we have to start teaching our children the consequences of using digital technology. In the long term, we must enhance our curricula, especially those in Science, Technology, Engineering, and Mathematics (STEM) programs. I believe that cybersecurity fundamentals should be incorporated into the curricula with the same vigor and pervasiveness as math, physics, and chemistry.
We cannot make a dent in this problem by just teaching a few cybersecurity professionals about how to protect us. Though this is important, we also must start teaching those who will be developing the IoT technology of tomorrow the basics and fundamentals of cybersecurity. For example, if a designer makes a decision to incorporate some type of cyber technology into some gadget, they should understand the security implications of that decision. If everyone involved understands the problem, then creating new technologies with security considered at inception will become commonplace and the result will be a more secure IoT.
Lane Thames is a software development engineer and security researcher with Tripwires Vulnerability and Exposure Research Team (VERT). As a member of VERT, Lane develops software that detects applications, devices, and operating systems along with vulnerability detection and management software. He also spends time looking for new vulnerabilities, contributing to the Tripwire State of Security blog, and understanding emerging cybersecurity threats.
For more information visit www.tripwire.com/vert