Could attackers be exploiting connected IoT devices in homes?
There were hundreds of millions of web users unable to access popular sites and services such as Amazon, PayPal, Twitter, Netflix, GitHub and Xbox Live on 21st October 2016. There were other major websites were affected, too, but the cause wasn’t an attack on each individual site. Instead, a distributed denial of service (DDoS) attack targeted their Domain Name System (DNS) provider, Dyn.
Data from all over the world was directed to Dyn’s servers, overloading them and preventing many web users’ browsers and mobile apps from locating the sites and services of Dyn’s customers.
The source of the attack was somewhat alarming: large numbers of home internet routers, security cameras and even baby monitors, all around the world. An unknown attacker had infected these Internet of Things (IoT) devices with Mirai malware, organised them into a so-called botnet, then used this for the attack. Widespread use of default passwords and unpatched firmware meant compromising the devices was relatively easy for the attacker.
This wasn’t the only recent botnet-based DDoS attack. Spare a thought for those living in Lappeenranta in Finland. This winter, the connected pumps needed for several buildings’ hot water and heating were wiped out for several days, following a Mirai infection. It seems these IoT devices weren’t the attacker’s target – but in being used to carry out DDoS attacks on foreign websites, the strain on the kit was too much, causing it to shut down and leave people with no heating at the worst possible time of year.
As connected devices have spread further into the machines that operate the world around us, potential attackers gain more opportunities to cause real physical harm. This is why security has long been a concern for those designing, building and operating high-profile connected systems. It doesn’t bear thinking about what could happen if a criminal took control of some traffic lights, a military drone or the control systems at a power station, for example.
But the recent DDoS attacks have raised a different issue around IoT security. The attacker’s goal wasn’t to compromise the cameras to spy on people’s houses, or to hack the baby monitors to disturb sleeping children. The devices themselves weren’t the target – instead, they were used as weapons with which to attack remote targets over the internet.
The irony is, of course, that what makes the IoT so appealing to consumers and industry (large numbers of connected devices all around the world) also attracts hackers, who see the connected kit as potential bots to carry out their dirty work. The problem is compounded when you consider that IoT devices need to be relatively cheap, and yet proper security (including the periodic software patches to counter new threats) is expensive. To underline the scale of the problem, HP was warning – even back in 2014 – that more than two-thirds of popular IoT kit had serious security weaknesses.
The other characteristic of the IoT is that many connected devices are single-purpose units that can be left operating, unattended, for months or even years at a time. While this is great for those operating the devices, who can plug in their networked storage or security cameras and forget about them, hackers also know they can generally access the kit undisturbed.
It all sounds a bit doom-and-gloom: the emerging IoT is made up of insecure devices, many of which have been rushed to market without proper thought being given to their security. But there is good news: proven hardware and software solutions exist that can protect IoT kit against most threats.
Developers do still face a challenge when it comes to securing their IoT kit, however. This is because IoT devices typically use low-power processors, which are generally insufficient to support robust encryption algorithms. This means developers must choose to incorporate dedicated hardware to look after the security, or use a higher-power general-purpose processor and implement software security.
One hardware option is Microchip’s AWS Zero Touch Secure Provisioning Kit, which uses the Atmel AT88SA10HS encryption chip. This evaluation platform has full plug-and-play authentication and is ideal for designers looking to build their IoT networks using Amazon Web Services (AWS).
This type of dedicated hardware security module is great when it comes to quickly incorporating security into new projects. But for anyone with potentially at-risk kit already in use, what are the options?
Do the easiest things first: make sure the firmware is fully up-to-date and the passwords are strong. Where possible, shut down non-essential services and close device ports that aren’t required. Also have a look through the device’s settings, particularly its routing configuration and firewall. Anything suspicious could indicate it has already been compromised.
Once you’ve done this, have a look on the web to see if any device you’re using has known vulnerabilities that haven’t been patched and are being exploited elsewhere in the field. If there isn’t a firmware update to address these, you may want to consider replacing the device. However, if this isn’t an option and there is a good understanding of what the threat is, putting a suitably configured firewall in front of the vulnerable kit may provide the protection you need.
As a very last resort, if an insecure device is truly essential, you could separate it from the wider internet, and only allow access through an intermediate, secure server.
Guest blog written by Mark Patrick, Mouser Electronics.