On Friday October 21st a massive Denial of Service (DDoS) attack knocked out the servers of DNS provider Dyn, taking out most of the internet with it. Dyn provides DNS services, mapping IP addresses to URLs. Without their mapping, websites cannot render the requested information. Dyn underwent 3 attack waves, with the first starting at 7AM and ending at 4PM. For the duration of the attack, internet in most of the Eastern seaboard was down.
Dyn routinely experiences DDoS attacks, but this one was unusual in its severity. What made it so harsh? Attackers used an open source malware called Mirai. Mirai infected an army of Internet connected devices, and they attacked Dyn in concert.
So is this an inherent IoT vulnerability?
The majority of Mirai infected devices were security cameras, routers and devices that have been in our networks for a while. The vulnerable ones are set to default user and password combinations. The way the hackers worked in this case was by pushing the malware into the devices via firmware updates. They disassembled the current firmware of the most popular cameras, added their own code to it, and updated the firmware on the cameras by using easy default passwords.
If the cameras/devices were running Axonize’s SDK to connect to the cloud, the end users would have received a warning when the malware infected firmware was uploaded to the device. Axonize uses a checksum to verify that the uploaded firmware is indeed the original file.
In addition, with Axonize the whole firmware update process is reported from the device back to the cloud. The Axonize cloud security mechanism can identify unusual behavior, like unplanned firmware updates processes or a large amount of upgrades in a short period, and so forth.
The Axonize SDK can also allow you to define a whitelist for outgoing requests, thereby ensuring that your devices don’t take part in a DDoS attack.
Another security measure you can set up in Axonize, is tracking system performance indicators like CPU load and HDD load, and configuring real-time alerts on behavior anomalies.
This attack emphasized something that we, and other enterprise grade IoT players have been saying all along. There is absolutely no option to connect sensors and devices to the Internet without taking security measures. This goes for any sensor, and any device, in any application.
Security is not ‘nice to have’ or a project item you can relegate to phase II. Secure your devices now.