IoT: Prolific but Potentially Perilous

In case you missed it, a serious distributed denial of service (DDoS) attack brought much of the Internet to a crawl last Friday. The attack focused on Dyn, a cloud-based Internet performance management company that offers managed domain name server (DNS) services. DNS is like the phonebook for the Internet: When we type an address into a Web browser, it almost always checks with a DNS server to see where to route the packets.

This is all well and good... until the DNS server goes down or comes under attack. Then, Web requests either encounter delays as they wait for backup servers to pick up the traffic, or they simply become unrouteable. The sophisticated attack on Dyn hit in multiple waves, one coming around 7:00 a.m. ET Friday, another at noon ET, and yet a third later in the day.

The first phase impacted some key Internet sites, including Twitter, Amazon, Tumblr, Reddit, Spotify, and Netflix. Web browsers using Dyn's East Coast DNS servers were unable to route to these destinations as well as to a number of other sites.

Dyn reported that the IP addresses of the devices involved in the massive attacks came from tens of millions of unique IP addresses. As it turns out, this massive and prolonged DDoS attack involved a significant number of Internet of Things (IoT) devices.

Unbeknownst to many of us, some of the devices we put on the Internet, including our inexpensive surveillance cameras, routers, digital video recorders (DVRs), and even printers, have vulnerabilities. In this instance, the vulnerable devices allow outsider access, namely through the use of Telnet and Secure Shell (SSH) protocols. Telnet is a network protocol that allows a user on one computer to log into another, typically via port 23. Similarly, the newer SSH network protocol uses public-key cryptography to allow access to a remote computer.

The problem with these aforementioned IoT devices is that they may support Telnet and/or SSH, and the manufacturers have placed default or hardcoded usernames and/or passwords into their firmware for easy setup or troubleshooting purposes. You can think of this default username/password, which often differs from the administrator username/password the user sees when logging into a device's Web interface, as an external access mechanism. The issue is that most users of these devices don't even know about these usernames and passwords, and even fewer know how to change them.

Further complicating the matter, some device manufacturers use third-party electronics components that have this defect. As you can see in the partial list shown here, this includes some big manufacturers like Panasonic, Toshiba, Xerox, and ZTE.

As a Xerox repairman reported in response to a KrebsonSecurity post about the DDoS attack, a standard way of getting into a Xerox printer if a user has lost the internal password is to reset the printer and then access the device using the default username and password via Telnet.

Now, you might say that in a business environments these devices should sit behind the corporate firewall and so be protected from outside intrusion. Well, that is true... unless a device has been set up using the Universal Plug and Play standard and/or port forwarding, which basically punch pinholes in the firewall. For example, if you have installed a surveillance camera that allows you to see video, you may be accessing that camera through a pinhole punched into the firewall upon setting up the surveillance. Hackers can scan a firewall for pinholes and gain access to a vulnerable device through port forwarding.

It turns out devices infected with a botnet, called Mirai, launched the DDOS attack against Dyn. Mirai, available as source code, scans the Internet for devices that support Telnet or SSH and have a default username and password still working. When it finds one, Mirai then logs into the device and infects it. The device then can become part of a massive distributed attack.

Eyes Wide Open
In the enterprise communications space, IoT is clearly becoming part of the conversation. Last year's Enterprise Connect conference featured some great discussion on IoT and the intersection between IoT and other elements in our industry, including voice, video, contact center, and CRM.

But, as we go forward with IoT, we must do so with our eyes open. It could be that those cool new programmable lightbulbs your facilities crew just installed, the smart refrigerator in the company cafeteria, the smart TVs scattered about the common areas, or your surveillance cameras could be participating in taking down a portion of the Internet while you are eating lunch or having a video chat with remote colleagues. Millions of infected devices already connect to the Internet, and their users don't even know it.

Furthermore, as we add billions of new "things" to the Internet, device security is going to be ever more critical, as this DDoS attack on Dyn illustrates. One of the problems is how to remove at-risk devices from the Internet... end users have little incentive to even check to see if their devices are at risk and the manufacturers have small incentive to try to reach out and get these devices either upgraded or eliminated, unless they are sued. Enterprises need to exercise caution as they buy and install IoT devices to make sure they are as secure as possible.

So, manufacturers are going to have to be vigilant to assure that their devices are secure and can't be hacked, and organizations will need to put in place attack mitigation scenarios so that in this era of the "cyber cold war," they are not vulnerable as IoT devices proliferate.