DDOS Attack Made Possible by Lack of IoT Security

IoT designers need to get smarter when it comes to securing their connected devices.

A map of the regions hit hardest by the DDOS attack on Oct. 21, 2016. (Image courtesy of downdetector.com.)

A map of the regions hit hardest by the DDOS attack on Oct. 21, 2016. (Image courtesy of downdetector.com.)

On Friday, Oct. 21, 2016,large parts of the U.S. and Europe experienced Internet disruptions from a massive distributed denial-of-service (DDOS) attack. The attack targeted domain name system (DNS) provider Dyn, resulting in major websites such as Amazon, PayPal, Netflix and Twitter being affected. While an investigation into the attack is still ongoing, it’s known that a large number of compromised Internet of Things (IoT) devices contributed to the attack.

Mirai Malware

The DDOS attack took place in three waves. The first wave began at approximately 7:00 a.m.(EDT) and Dyn managed to mitigate the attack by 9:30 a.m. The second wave of attacks began at 11:52 a.m., which Dyn resolved by 1:00 p.m. The third wave began around 5:00 p.m., but Dyn was able to mitigate it without customer impact, resolving the issue in about an hour.

The DDOS attack flooded Dyn with tens of millions of malicious DNS look-up requests. The damage it caused was in the interruption for legitimate users; all DNS look-up requests are initially treated as legitimate, so by overloading the system with a barrage of requests, you can make the network temporarily unavailable.

So where did all the malicious requests come from? Dyn has confirmed that the attack resulted from devices affected by the Mirai botnet, a malware that targets consumer IoT devices such as webcams and printers. Mirai works by scanning the Internet for IoT devices and using factory default passwords or hard-coded credentials to compromise them. Once it obtains control of the devices, they can be assimilated into a botnet capable of carrying out an attack like the one we saw on the 21st.

Learning IoT Security the Hard Way

So what should IoT design engineers make of this attack? The lesson could hardly be more obvious: IoT security can’t be dismissed or ignored. Consumers tend not to think of their webcams and other connected devices as vulnerable, but designers should know better. If it’s online, it’s susceptible to attack.

Perhaps the easiest place to start is in doing away with factory default passwords. This could be accomplished in a couple of different ways: create unique passwords for each device, or force users to set their own passwords. The minor cost in convenience is undoubtedly worth the extra protection against devices that practically beg for malware such as Mirai.

The media has not been shy about blaming the IoT for the DDOS attack. Consumer confidence in the IoT is sure to be affected as a result and IoT designers may now be faced with an uphill battle in regaining consumer trust. The best step you can take is to make security an absolute priority for your IoT products.

Don’t worry, we’re here to help. Check out 12 Tips to Convince Users Their IoT System Is Secure to ensure your products can be trusted.

Written by

Michael Alba

Michael is a senior editor at engineering.com. He covers computer hardware, design software, electronics, and more. Michael holds a degree in Engineering Physics from the University of Alberta.