Hacked cameras, DVRs and other internet-connected consumer devices were conscripted by perpetrators who installed botnet malware, causing last Friday’s internet outages. The national media reported the event, but it failed to tell consumers what they need to know about buying those types of devices. For example, before making a purchase, consumers need to ask:
- Does the manufacturer routinely update this device with security patches?
- Can I change the default passwords when I install the device?
The national media could have talked to someone who has first-hand experience with this type of attack, such as Brian Krebs, former Washington Post journalist and now one of the leading security industry bloggers, who would have repeated what he posted on Friday:
“As I noted in The Democratization of Censorship, to address the threat from the mass-proliferation of hardware devices such as Internet routers, DVRs and IP cameras that ship with default-insecure settings, we probably need an industry security association, with published standards that all members adhere to and are audited against periodically.”
Instead, the media spoke to sources two and three degrees removed from the situation.
Worse, this type of attack is not a new threat. Four years ago, this type of vulnerability was widely reported in the technology press.
+ Also on Network World: How the Dyn DDoS attack unfolded +
The perpetrators of last Friday’s DDoS attack did what the manufacturers failed to do. They updated 100s of thousands of internet-connected consumer devices with the Mirai-based botnet. Think about it like the regular update patches to Windows and smartphone apps.
Defending devices is an ongoing battle. Perpetrators look for zero-day exploits, which are undiscovered holes in defenses. Operating system (OS) developers and independent security analysts search for these zero-day exploits before or after there’s been an incident. Zero-day exploits are valuable because properly executed can provide access to the operating system without detection. Trusted OS developers create patches to cover these holes that are automatically and securely downloaded and applied.
Internet-connected devices not always updated
The important point that needs transparency is some internet-connected consumer devices do not regularly get software updates. Many run Linux because it is free. Though popular Linux versions such as Ubuntu, Mint and Debian are secure due to regular update patches, some of these internet-connected consumer devices are not patched after they leave the factory.
Further, they ship with default passwords that consumers rarely change. Often perpetrators do not have to use sophisticated methods to discover these passwords because the passwords are often included in the consumer documentation. And sometimes security-conscious consumers cannot change the passwords because they are hard-coded. Yikes!
The problem is that some internet-connected consumer devices do not have robust updating systems. If a device has not been patched in a year or two, then it is subject to a whole year or two of zero-day exploits.
Preparation for the attack
In advance of last Friday’s outage, the perpetrators scanned the internet for systems that showed signs of running the vulnerable hardware and found more than 515,000 reported by Krebs that were vulnerable. They picked the largest populations of vulnerable devices, logged in using default passwords and patched the devices with their botnet malware. Then they issued a command to hit Dyn. Dyn, a large provider of DNS services that maintains the namespace translation of URLs to IP addresses, was flooded with requests, cutting off access to sites such as Spotify and Github.
Obviously, given the sheer number of conscripted devices, the perpetrators built an automated system to carry out this exploit. Except for verifying the authenticity of digital certificate and the checksum of the malware, the perpetrators did everything the manufacturers of the vulnerable devices should have been doing all along, applying patches to protect the devices from malware.
Solutions to these vulnerabilities exist
Proven open-source solutions to these vulnerabilities exist. Pick any widely adopted OS such as Ubuntu or Windows or an application such as Firefox. All are patched using a package management system. Device manufacturers should have used a package manager all along to apply patches. Manufacturers do not have an excuse for failing to make regular updates. Many package managers are free and open source, and the more widely adopted package managers such as dpkg have large communities that contribute enhancements and patches. The manufacturers do not have to create most of the patches; they need only track the Linux open source tree for changes unless the patch fixes a bug in the manufacturers independently developed software.
The manufacturers either independently or jointly should have an update distribution system, not too dissimilar from an app store or the way Linux and Windows update. When patches are available, they are signed with a digital certificate and a checksum calculated. When the OS starts a centrally controlled update, the digital certificate is checked for the authenticity of the developer and the checksum recalculated and confirmed. If the certificate is authentic and the checksum matches, the patch is applied.
If the mainstream press does not explain the problem to the public at large, the threat will grow. It isn’t as simple as explaining the Samsung Galaxy Note 7 battery combustion problems, but in the long term, it’s a more important issue.
It is worth mentioning that as a result of Microsoft hardening Windows 7, Windows 8 and Windows 10, apparently attackers have sought more easily exploitable devices.