IoT Security after the Mirai Botnet Attack
Rob Black, CISSP, ThingWorx, Product Management Senior Director
The Distributed Denial of Service (DDoS) attack on the domain name system (DNS) infrastructure provider, Dyn, last month on October 21, 2016 brought down Twitter, Netflix and other sites and provided a wakeup call on the dangers of unsecured networked devices. Most of the malicious endpoints used in this attack were consumer-owned Internet of Things (IoT) devices such as digital video recorders (DVRs) and video cameras. The large scope and high visibility of this attack has raised the question of what lessons it might provide to companies that are developing and deploying IoT applications.
The perpetrator of the attack is unknown but it has been determined that the attack took advantage of long-known but never-fixed vulnerabilities in connected consumer devices. The hackers used the Mirai botnet malware to recruit a network of slave devices that could be controlled as a group without their owners’ knowledge. When it found a device, the malware guessed at its password; in many cases the passwords were known hardcoded defaults.
Many of the devices that were compromised use components from Hangzhou Xiongmai Technology. The devices often include an embedded operating system with an operating system level admin login which is hidden from users. The devices were often set to simple default passwords such as admin or 12345. In the case of many of these devices, the password was hardcoded into the firmware and can only be changed by installing a patch. Some of the companies that sold these devices had recognized their vulnerability and issued software patches but few users bothered to download and install these patches.
After taking control of these devices, the Mirai software waited for a command from its master. After the perpetrator had assembled a botnet army of sufficient size, it commanded its followers to send huge numbers of messages to Dyn’s server farm, bringing these computers to their knees. As a result, websites that rely on Dyn for DNS service – including the New York Times, Airbnb, Twitter, Netflix, Reddit and others — became unreachable for a period of time.
Even though the specific vulnerabilities that were targeted in this attack are likely to affect few if any enterprise IoT applications, the method of attack provides lessons that are valuable in securing all IoT applications. It’s fairly easy to identify three factors that made these devices vulnerable:
- Promiscuous device connectivity
- Security patches not installed
- Use of default passwords
ThingWorx has been designed from the ground up to mitigate against these types of potential vulnerabilities and has built in capabilities to protect customers from them. First, ThingWorx provides a powerful limitation on device connectivity by configuring devices so that the device must initiate the connection and that the connection can only terminate with one specified IP address or DNS name. This architecture eliminates the possibility of the device being hijacked by an attacker, reducing the attack surface from millions of entry points to one that is controlled by your enterprise in your data center or a trusted partner.
Second, the ThingWorx platform simplifies the process of installing security or other patches on large numbers of devices in the field. ThingWorx automates the process of rolling out changes to devices, including those with a large potential number of different configurations, boards, chips, modules, software, etc., each of which may require a different patch. Users of the ThingWorx software can flexibly choose to deploy to a subset of machines or have the software smartly distribute the software to all the machines. ThingWorx also provides the ability to wait until the device is idle before installing the patch.
The ThingWorx platform is intended to be managed by enterprise information technology personnel who are aware of the importance of changing passwords. User passwords can be tied to your enterprise user directory ensuring good password policy. ThingWorx makes it easy to change the cryptographic material for system keys and device keys allowing for you to manage a secure implementation.
ThingWorx also provides a wide range of other features designed to help ensure IoT security. Many of these features are explained in two white papers entitled Securing the Architecture and Infrastructure of the IoT Ecosystem and Protecting Smart Devices and Applications Throughout the IoT Ecosystem. The Dyn DDoS attack highlights the security challenges of the IoT, however, a close examination of this attack reveals that tools are already available to develop and implement enterprise IoT applications that protect against similar attacks as well as other unauthorized and malevolent intruders.