Dyn DDoS Attack Shows IoT’s Inherent Security Weakness


| Analysis

IoT’s big open door

The issue with IoT devices is two fold: many are easy to hack, and many can’t be patched to block security exploits. Many IoT devices share the same embedded operating system chipsets with Root-level passwords baked in. They can’t be changed, and once known are exploitable by anyone familiar with Shodan and savvy enough to follow hacking scripts.

As IoT device users, there’s little we can do to stop the problem short of disconnecting everything from the internet. Thermostats, cameras, and refrigerators don’t have any business being online—or so the argument goes.

Internet connected devices

Refrigerators, thermostats, and more are internet-connected

In my case, a Web connected thermostat alerted me when my air conditioner stopped running on an especially hot day. It was about 98 degrees fahrenheit when I rushed home, and since I had planned on being gone much longer it’s likely the indoor temperature would’ve risen high enough to kill my cat.

My parents offer up a less dramatic example of IoT put to good use. They live in the mountains at about 8,500 feet altitude and it gets painfully cold in the winter. Their heating system warms ceramic bricks during off-peak electrical times, and by talking with the power company it can intelligently decide when to do its thing.

If these devices are potential hacker targets, why not use a platform that promises stronger security, like Apple’s HomeKit? While HomeKit does offer security enhancements to help keep hackers from remotely turning your lights on and off, or unlocking your front door, the underlying technology driving those products may be susceptible to the same security breaches.

Most HomeKit-ready devices also support other platforms, and the underlying chips driving both are potential targets for hackers. The practical security in HomeKit is that any device using the protocol is secure within Apple’s environment; anything the devices do outside of HomeKit, however, is still just as vulnerable—or secure—as it would be without Apple’s platform.

Plugging the iOT security hole

Which brings us to the really big question: What can users do to protect their IoT devices from being hijacked to participate in DDoS attacks? The answer is, nothing short of unplugging them.

The fix needs to come from manufacturers, and fixing the devices we already own isn’t going to happen. Dave Hamilton dove pretty deep into IoT security issues on Mac Geek Gab, and suggested on TMO’s Daily Observations podcast that the practical fix might come from router makers.

Since your router is the nexus for data coming into, and passing out of, your private network, it’s the perfect place to watch for IoT devices participating in DDoS attacks. When unusually high outbound traffic is detected, your router could block the rogue device from sending outside of your own network.

That would address the problem without forcing everyone to throw away the IoT gear they already have. It also means we’ll likely need government regulation to impose traffic throttling requirements on router makers.

Changes like that don’t happen quickly, and that means the doors are still wide open for other hackers to follow in New World Hackers’ foot steps. It also means any of us could’ve played a part in the DDoS attack on Dyn, and may be involved in future attacks, and won’t ever know.

8
Leave a Reply

Please Login to comment
8 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
6 Comment authors
Lee DronickcubefanBurmaYankNotTellingYou Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
Lee Dronick
Member
Lee Dronick

“Good one, Lee! (Which plan did you vote for? – I voted for #5)”

I also like #5, but 6 is probably more realistic.

cubefan
Member
cubefan

Which is where something like this comes in useful… developed to run on OpenWRT [but see website for more details].. , The Dowse is a mini firewall in effect – a small machine with two networks – not that dissimilar to one of these: but Smoothwall presently only runs on an Intel x86 platform. Most of the so-called secure IoT frameworks, hubs etc, are NOT secure, including the Philips Hue [see Abusing the Internet of Things, O’Reilly – mandatory reading IMHO]. Homekit got a better review here – simply because it has an approach that has security built in from… Read more »

Dave Hamilton

NotTellingYou: Some good info, though all available elsewhere, but why does an Apple-focused web site, do an article about IoT security weakness, and not even make a passing reference to Apple’s HomeKit security and encryption?

Perhaps you missed the second page of this article where that part of this was covered?

BurmaYank
Member
BurmaYank

Good one, Lee! (Which plan did you vote for? – I voted for #5) – Only after years and years of firmware updates, (… ROM wasn’t fixed in a day.) 5% – Someone will just pull the plug on the Internet and reboot it!, (… how about leaving it unplugged and let everyone go outside for a couple of days?) 3% – Not with a bang but a whimper, 6% – With white hat malware, to target the malicious malware, 3% – With a well orchestrated campaign of blocking the sale of devices that can be compromised, and hunting down… Read more »

Lee Dronick
Member
Lee Dronick
NotTellingYou
Member
NotTellingYou

Some good info, though all available elsewhere, but why does an Apple focused web site, do an article about IoT security weakness, and not even make a passing reference to Apple’s HomeKit security and encryption? Apple has taken a lot of unwarranted abuse when it comes to HomeKit’s requirements with many a tech pundit taking Applr to task for their requirements which they see as slowing adoption and increasing cost. Well…and now you know!

BurmaYank
Member
BurmaYank

Thanks for your excellent summary, Jeff, (with your link to Shodan) of this apparently world-transforming news.

palmac
Member
palmac

If your toaster starts learning Russian…
If your refrigerator joins an anarchy youth group…
If your thermostat constantly insults twitter…

REPORT IT!

The website you save might be your own!