2016: The year IoT broke the internet
Meet the internet’s new public enemy number one — Mirai and its variants, vast botnets of web-enabled devices, which this year were used to attack online infrastructure and bring marquee e-commerce and social media sites to their knees.
Since that attack in October, by the original Mirai botnet, numerous variants have been created — scanning the internet looking for connected devices with weak security like default passwords, and recruiting them to the author’s bot army.
An attack profile like we’ve never seen
Experts and officials warned earlier in the year that the explosive proliferation of insecure and exploitable internet of things devices — home automation gadgets, entertainment equipment, connected cars — was opening to door to the creation of these vast botnets.
“The attack profile possible is something like we’ve never seen,” Manos Antonakakis, from Georgia Tech’s School of Electrical and Computer Engineering, told a government advisory board just after the October attack.
The version of Mirai used in that attack targeted web-connected cameras, DVRs and broadband routers — building a botnet of infected devices hundreds of thousands strong, and using their connectivity to bombard its targets with fake data requests, overwhelming their servers — what’s called a Distributed Denial-of-Service (DDoS) attack.
The children of Mirai
Initially, Mirai’s source code and the emergence of new variants splintered and weakened the original botnet, but now some of the successor variants are rivaling the original in size.
So, could the October attack against internet infrastructure provider Dyn be replicated in the future?
Unless something changes radically in the IoT ecosystem, the answer is: Yes, and then some.
The problem is one of scale. Estimates vary, but several billions of devices are likely to be connected to the internet over the next few years and if current trends continue, many of them will have exploitable security weaknesses like those recruited by Mirai. That’s a lot of firepower.
Infrastructure under strain
But even laying aside the security issue, experts say that, given their numbers, the connectivity of IoT devices will put the internet infrastructure under strain.
“IoT devices are very chatty,” said Antonakakis, “they tend to connect to many different points,” and to use many different communications protocols — something that adds to their utility as botnet members.
But with the explosive growth expected in IoT devices, even their usual activity will put a strain, specially on the Domain Name System, said Antonakakis, whose institution does a great deal of federally funded cybersecurity research.
He said that around 150,000 IoT IP addresses his team tracked made between them over half a billion DNS lookups every day.
“I can foresee that we will have to rapidly upgrade … DNS infrastructure simply to cope with the normal activity of these devices,” he added.
The IoT ecosystem
At his presentation, Antonakakis made a startling and little-noticed prediction. Because in the current ecosystem, it’s generally not possible to identify particular devices that may or may not be susceptible to a given infection — “There is no hope of remediation,” that is, no way of fixing security problems that emerge with already deployed devices.
“In my view … It’s only a matter of time before U.S. agencies have to issue massive recalls of IoT devices due to security issues,” Antonakakis predicted.
In the case of Mirai, some categories of devices, like routers, can generally be patched remotely. Others cannot.
The Chinese company that makes one of the white-label webcams exploited by the original Mirai botnet said it issued a recall for about 10,000 of its devices sold to Americans. A spokesman told Reuters it had fixed the Mirai vulnerabilities in new devices by asking users to change the default password and disable telnet, the communications channel used by the botnet.
The challenge of regulation
But relying on users to fix a widespread and dangerous vulnerability like that is generally deprecated by security practitioners. And there’s another issue.
The problem is, in part, one of complexity.
Remember how some categories of connected devices can be remotely updated, patched to fix security holes? Many of the internet service providers who were able to patch routers against the original Mirai botnet build special backdoors into their devices, just so that their engineers and customer service staff can get access to patch them or reset them.
Last month a Mirai variant emerged, at the time one of the successors whose size was thought to rival the original, which propagated by exploiting exactly those access features.
See? Complexity. And it gets worse.
Because there may well be six or seven different companies involved in manufacturing, programming, assembling, marketing, and connecting an IoT device — and the consumer probably doesn’t know half of them. Even the sellers themselves may not know who all of their partners’ many suppliers are.
The companies involved range from Silicon Valley startups to Asian manufacturing conglomerates, by way of mass market retailers, telco companies and broadband ISPs.
It’s a global ecosystem with a trans-continental supply chain, and a market environment where “speed to market” is going to trump “secure to market” every time.
Therefore, the problem is, in part, one of market failure.
A role for government?
Even U.S. regulators recognized in 2016 that classic rule making approaches are too slow and specific to deal with burgeoning IoT threats. The Obama administration continued to focus on partnership with industry, not by regulation, but voluntary best practices drawn up by multi-stakeholder working groups.
The National Telecommunications and Information Administration — a small agency within the Department of Commerce — has been convening such a multi-stakeholder process on IoT security. But it looks in danger of being outflanked by multi-industry groups like the Consumer Technology Association, who are devising their own best practices.
Congress, as they do, also got involved. But with more than a dozen different committees and subcommittees claiming jurisdiction over some piece of the cybersecurity policy pie; and a Republican party in raucously anti-regulatory procession controlling both chambers, it’s hard to see legislative intervention as likely.
As 2016 ground to its conclusion, the report from President’s Commission on Enhancing National Cybersecurity essentially endorsed the partnership approach to IoT security, but urged the new president and his team to make IoT measures among those he needed to pursue within the first 100 days.
And they’re right. As former CIA official Gus Hunt has pointed out, the truly scary thing about October’s attack is that it looks like it was put together by angry teenagers.
“It wasn’t a nation-state, it wasn’t organized crime … it was one individual who was ticked off with a gaming company,” he said.
So that’s where we are in 2016. An angry teen can break the internet by weaponizing the IoT.
“That is a terrifying prospect,” Hunt concluded.