When things attack: Mirai and the Dyn DDoS attack reveal a disturbing future
The October 21 distributed denial-of-service attacks against DNS provider Dyn knocked some of the internet's most-recognized brands offline by exploiting poorly secured consumer IoT devices in the largest recorded DDoS attack to date. The attack was enabled by the botnet functionality dubbed Mirai, which was also implicated in the enormous September DDoS attacks that temporarily took down security blogger Brian Krebs and hosting provider OVH. The word Mirai reportedly means 'the future' in Japanese – and the future that Mirai has shown us is disconcerting indeed.
The 451 Take
These attacks have only just begun to illustrate the level of exposure the world faces from what so far appears to be largely SMB products made for the Internet of Things. Indeed, this narrow focus says much about the potential scale of risk beyond the cameras and DVRs largely targeted in this case. While virtually everyone weighing in on the discussion agrees that something must be done to head off an even worse scenario, what remedies make the most sense? There are needs at virtually every level of IoT architecture, from the software and functionality built into devices to the networks and platforms that interconnect IoT's many moving parts. The recent attacks illustrate how easily poorly secured IoT can be made a platform for attacking the fundamental underpinnings of the internet that keep the entire digital world functioning. So far, most of the discussion around IoT security has revolved around protecting IoT itself, with considerable investment already having gone into securing industrial IoT, particularly in sectors where safety is a primary concern. The threat that vulnerable IoT poses in and to the larger world has been seriously underserved. The range of solutions proposed – from adopting the analog of building codes for software and hardware to sweeping regulation, and the inevitable arm wrestling each presents – makes it clear that resolving these vulnerabilities will not be easy. What concerns us most is that, as so often happens with security, it will take an incident of serious proportions to bring any real progress to a head. It would be wise for the industry to do what it can to address this before governments take a stab at it.
Mirai's October 21 strike
On Friday, October 21, Dyn, a provider of domain name system (DNS) services, reported that it was the target a distributed denial-of-service attack (DDoS). The attack, which affected multiple DNS servers and caused interruption of services to a number of well-known sites, such as Twitter and Amazon, has been reported to have used the Mirai botnet, which specifically targets IoT devices. Mirai may be considered a botnet 'platform,' since there are several components that make it work: a SaaS front end for customers to submit jobs, C2 nodes, malware compiled for eight different CPU architectures, and self-propagation functionality in the form of shell scripts designed to search the internet for vulnerable systems and infect them. Threat intelligence investigator Flashpoint notes that, while Mirai botnets were used in the October 21 attacks, they were 'separate and distinct' from those used in September's high-profile attacks against security blogger Brian Krebs and hosting provider OVH, likely because the source code for Mirai was released not long after the September attacks, making it possible for others to use Mirai beyond those responsible for its first appearance.
Moreover, Mirai appears to target specific IoT 'things,' such as digital cameras and DVRs used in security surveillance. The specificity of targets is worth noting. These are not industrial IoT systems, such as industrial controls, which may be subject to safety or industry-specific controls in sectors sensitive to such concerns. But neither are they the consumer devices associated with everyday consumer use, in the 'smart home,' for example. Mirai's preferred targets are those accessible via the internet, and thus easy for attackers to reach, with low barriers to accessibility for exploit (default usernames, passwords and unsecured access methods such as telnet). These devices are rarely maintained or updated – in many cases because their functionality is limited (if they aren't broken, why fix?). Indications so far suggest that this may have been the largest attack exploiting IoT devices, with aggregate traffic surpassing over 1Tbps, or approximately 50% more traffic than that which took down Krebs' site.
If the range of targets was limited, the scale of the threat was not. According to Dyn's statement on the October 21 incidents, tens of millions of discrete IP addresses associated with the Mirai botnet were involved. The fact that such a widespread and readily mounted attack can be carried out under such simple terms has itself caused considerable concern over the state of exposure the world faces, as it embraces increasingly capable devices, particularly those fitting the types of vulnerabilities targeted in this case. Mirai is only one of a handful of botnets targeting such devices known to us at present. Our estimate is that the combined strength of all these botnet platforms would be approximately 75Tbps of DDoS power, or about 75 times the size of the Dyn attack at its largest.
Total economic impact and negative economic externality
These attacks have affected much more than just a number of consumer IoT devices, large as that number may be. Their impact on the wider internet and its fundamental underpinnings has already raised a number of downstream issues, such as the total economic impact of such broad and large-scale threats – an impact that has yet to be fully grasped, but that will likely influence whether or not the security concerns of consumer IoT can be fully resolved.
In a factory-oriented industry, for example, when a factory produces a product, the price of that product should cover the costs of its production and at least enough profit to make its production worthwhile. This price includes labor, components, equipment and all the associated inputs that go in. But what about the pollution the factory makes? This pollution has an economic impact – global warming, crop production and respiratory disease can be the result of such pollution, which affects other businesses and individuals, too. But the factory doesn't really need to care about these – the factory could produce billions of tons of pollution, and it wouldn't need to factor the impact of this pollution into its price.
In other words, the pollution is external to its profit and revenue – economically, pollution is called a negative externality. Externalities occur where the actions of one economic agent make another economic agent worse or better off, yet the first agent neither bears the costs nor receives the benefits of doing so. It is a form of market failure.
The Mirai malware specifically targets IoT devices on which to host its source. From these devices, botnets used for DDoS attacks can do their damage – Dyn was one of the victims of this attack. Why target IoT? Because most IoT devices do not have the security features one might expect on a laptop or a server thanks to endemic failures in design and manufacture. It is a relatively easy device to infect, but still has the advantage of internet connectivity and powerful CPUs with support for languages beyond just assembly. These devices typically don't bother with firewalls, secure role-based access and configuration, or even the most basic endpoint defenses. They are easy targets.
Here lies the economic challenge: Let's say a typical consumer has purchased an internet-enabled toaster for $20. The producer could charge an extra $2 to make the toaster more secure, but that could lead to fewer purchases and impact profit. This is the crux: Would the producer get any benefit from making it more secure? No. The producer would almost certainly reduce its bottom line, as a result of price-sensitive users viewing the product as less attractive.
Would end users see value in paying $2 more for a secure toaster over an insecure one? What benefit does the end user gain by having a secure toaster? None. Perhaps their bread will toast quicker when a DDoS attack is underway, but this isn't compelling. Arguably, their additional expense wouldn't benefit everyone. But this argument only becomes valid if everyone is willing to pay that $2. And we know that there will always be a large percentage of the population that doesn't have such altruistic tendencies. So the consumer thinks 'Why pay more for something that doesn't benefit me directly, when the problem will only be fixed in the unlikely event everyone else does the same?'
IoT botnets are an externality. DDoS attacks impact other entities far more than the producers of IoT devices, and far more than most of the users of such technology. At least with traditional computers, malware might steal credit card data, corrupt volumes or hijack processors from important tasks – end users and vendors were incentivized to be secure; with IoT devices, this incentive is less clear.
Where do we go from here?
So how do we resolve these issues, internal as well as external?
Regulation: Some are calling for increased regulation to improve security, but regulation can take multiple forms. Self-regulation in the form of vendor response to incidents or concerns often has a positive impact on resolving such issues. In the early days of Wi-Fi proliferation, for example, the weak (and ironically named) Wired Equivalent Privacy (WEP) algorithm was quickly supplanted by the stronger Wi-Fi Protected Access (WPA), which, in a more current form (WPA2), remains prevalent today. Internal regulation within industries may lead to the adoption of measures analogous to building codes – a model already proposed by contributors to organizations such as the IEEE – but the most well-developed of these in IoT so far focus primarily on devices within specific realms, such as medical systems, and not on widespread consumer devices or for architectures of services on which the internet itself has been built for decades, where changes would be far from trivial, to say the least.
Not surprisingly, regulation to deal with externalities, such as that imposed by governments or regulatory bodies, is already being proposed. European Commission officials are already reported to be considering such requirements, but the model suggested – the labeling of power consumption is already required in Europe – seems grossly simplistic compared with the complexity of seeking to regulate the many variables involved in comprehensive security.
Tax: Companies can be taxed to encourage them to reduce their externalities, with tax revenue spent on repairing negative effects. For example, a carbon tax is used in many nations to reduce carbon emissions and to offset negative effects with tree planting. In the IoT case, this would be a complex ask – what exactly would vendors be taxed on, and how would it be measured? How would tax revenue be spent, and would there be a central agency responsible for spending tax revenue on resolving externalities? This method is better used where production means there will always be some externalities.
In cases where government regulation or taxation is considered, we must also keep in mind that we're talking about a market of devices originating from countries around the world. What sort of enforcement power can regulators use to make sure appropriate measures are taken in these devices? Enforcement of requirements for things made in China cannot be enforced in Europe or North America – unless import restrictions enter into play. But how could even those be realistically enforced? Who would examine thousands or millions of devices, or even representative samples of a very open-ended range of technologies to assure compliance? No matter which direction regulation goes, the costs would not be insignificant. Who would they fall on hardest, particularly when manufacturers have virtually zero commercial incentive to add cost to the price of things that are becoming more prevalent – not least because the cost of computing power necessary to make them 'smart' has fallen so low?
Liability: If not regulation, what about liability? Will the courts opportunistically take over where regulators have so far been unsuccessful or silent? And if so, what makes for a litigant's legal standing to do so? What constitutes damage that can be translated into tangible figures, and how can it be proven to a court's satisfaction? Hardly anyone would want to see society become even more litigious, but today it seems that a company might suffer more damage from serving too-hot coffee than it would from exposing the world to security weaknesses in IoT.
Note that it's not just technology makers and providers that may be left holding the liability bag. In the wake of last week's attacks, some device manufacturers themselves have apparently decided that the best form of defense is offense, and have threatened to sue for brand tarnishment those whose observations may have been construed as implying (overtly or otherwise) that they might have been negligent. In short, IoT security liability could become a gold mine for the legal world – but will it bring any lasting solution to IoT (in)security?
Technical mitigation in global networks: What about the role of ISPs in stopping these attacks once they arise? It is worth noting that attacks likely violate the terms of service for many, if not most, providers, giving them the standing to take more aggressive action. Providers are already ramping up more effective techniques to deal with DDoS attacks like those of last week. But as noted previously, the most immediate solution in the short run is to increase capacity – which still doesn't get to the heart of the matter in recognizing and stemming attacks from millions of compromised IoT systems before those attacks proliferate. There are ways to recognize and stanch emerging attack patterns that focus strictly on the technical aspects of network traffic, and it should be fully expected that the major providers will invest to do so, at least for the scale of DDoS attacks seen recently. But beyond the largest service providers, which have the resources and the motivation (since they may themselves be primary targets), the world is full of smaller providers not likely to be involved in such coordinated efforts. Should traffic content inspection enter into view, we would run directly into privacy issues, particularly for encrypted channels, which would open the door to ISP (and perhaps regulator) access to private content, while behavioral profiling introduces another specter that would likely meet with a poor reception from civil libertarians.
So who really has the economic motivation to take action? As noted above, the major providers of fundamental network and cloud services have already become targets – and they have the resources and the means to act in a coordinated fashion. The largest consumers of these services among major corporations also have an interest in investing in better defense. But when it comes to raising the bar for the makers of the devices being exploited in these attacks, and the questions of safety for the general public that future attacks may well raise, the way forward will not be easy. The millions of consumers and organizations that purchase these devices value the low cost at which they have placed intelligence integrated with everyday functions within their reach.
As we noted in a previous spotlight on IoT vulnerability disclosure, consumer activism is one avenue that has demonstrated its effectiveness in the realm of safety. If public sector efforts to evaluate products fall short, perhaps a product rating and evaluation service may emerge in the private sector alongside those that already exist to help consumers make informed product choices. One way or another, changing the very nature of the IoT game for the sake of better security will come at a cost, which must be weighed against the imperative to take action to protect the world from the downside of increasingly connected – and allegedly smart – things. If this imperative doesn't stem from a commercial impulse, it will surely originate from the sphere of governance. Cyber warfare is a term that carries increasing provenance, and something like this attack, although carried out against relatively mundane targets, is indicative of where this debate is headed.