Sunday, September 25, 2016

IoT now being used for DDOS

It was a matter of time before this happened.  With the various manufacturers of IoT devices worried more about being first, market share or making money (or all three) they have left device security as an afterthought.  Brian Krebs is one of the first that I know of where those not happy about what he does tried to silence him using a massive DDOS attack that appears to be using IoT devices.  In the past he has been a target for swatting.  At this time his site Krebs on Security isn't back up  at the time of this blog being written and that is a shame.  Ars Technica has a good article on this subject that you can read.  I agree with the article that this is troubling development.

The problem is that it is like the wild west with IoT devices.  If manufacturers don't do something about security and upgrades soon web providers and/or the government will do something about it and the potential will be stifled.

I see this as an opportunity for Anti-virus makers and software developers.  If they can develop a simple application to
  1. Scan your network for IoT devices and present you with their findings;
  2. Make it extensible to allow us to manually identify and flag IoT devices that were not detected and send feedback to the developer about the new devices;
  3. Identify potential security holes and list options the user can make to secure their devices;
  4. Automate the fixing of holes and changing settings to make the devices more secure.
Developers who can do the above will have an opportunity to make money while helping secure the newest set of toys on the internet.
In the long term manufacturers need to put security and the ability to upgrade at the top of the list and to firmly step on the neck of marketers and tell them NO, security comes first, not market share or money.  That is hard as they will tell everyone that a company is in the business of making money.  That is fair, but, they should be reminded that if people cannot trust their product that they will not be making any money!

I may be an exception to many people looking at IoT products for the home (or office) as I look at:
  1. Can it be patched when security holes are identified and fixed?
  2. Does it ask out of the box for the user to create an admin account and passwords and does not have default?
  3. Good documentation on the production and configuration.  A simple user guide will suffice and then point the user to a web site with more detailed documentation;
  4. Certificates can be added/changed/deleted so that one default certificate isn't used on every device made by that manufacturer?  I do this for my browsers and Linux boxes.  There are certain countries (like China and soon Russia) where I disable ALL their certificates as I don't trust them, may be wrong or paranoid, but, my machines my rules;
  5. A tool to manage the IoT device and the ability to log all actions to a write only area by the IoT device.  The reasons for Write-Only is that if hackers do get in we want to make it a bit harder to alter the logs;
  6. What is the support policy and expected life for support?
  7. If it requires using the cloud to do its work
    • Is the communication encrypted end-to-end?
    • Can the end user create their own local server?  The reason is that the manufacturer will eventually stop supporting the product or go out of business.  When that happens we are left with a working product, but, non-functional.

At this time hackers can (and are) using the weaknesses in IoT devices to create massive bot nets and disrupt access for individuals and companies (like battlenet and Runescape) and shut down access until they cave to their demands or spend a massive amount of money to mitigate future DDOS attacks.  Hackers are not stupid and realize that this is a ripe area to exploit as there isn't much in the way to detect and stop them.  The individuals behind the DDOS are bullies and need to be recognized as such and treated as such.  Krebs and battlenet are the most recent victims, but, will not be the last.  The question is how many more times and how many people will be impacted before action is taken?

Update 2016/09/25:

Looks like Krebs site is back up.  Good to know that he is back and the DDOS bullies didn't win this time.

No comments: