Building the IoT monster

IoT monsterWhen Mary Shelley wrote Frankenstein, she imagined the misguided doctor assembling his creature from dead body parts, who instead of elevating science, created something dark and terrible. A modern day Mary might well imagine the monster being assembled, not from arms and legs, from nanny-cams, door locks, and DVRs.

It would be hard to miss the events of the past few weeks. In September, security reporter Brian Krebs was hit by a massive DDoS attack. Within a few days, hosting company OVH was hit with an even larger DDoS attack, peaking around 1Tbs.

What marked these attacks as especially worrying was the use of a relatively small number of compromised IoT devices (around 150,000) to generate such a significant attack. The source code for the software used, Mirai, is already in the public domain (here’s a snippet):

typedef uint8_t ATTACK_VECTOR;

#define ATK_VEC_UDP 0 /* Straight up UDP flood */
#define ATK_VEC_VSE 1 /* Valve Source Engine query flood */
#define ATK_VEC_DNS 2 /* DNS water torture */
#define ATK_VEC_SYN 3 /* SYN flood with options */
#define ATK_VEC_ACK 4 /* ACK flood */
#define ATK_VEC_STOMP 5 /* ACK flood to bypass mitigation devices */
#define ATK_VEC_GREIP 6 /* GRE IP flood */
#define ATK_VEC_GREETH 7 /* GRE Ethernet flood */
//#define ATK_VEC_PROXY 8 /* Proxy knockback connection */
#define ATK_VEC_UDP_PLAIN 9 /* Plain UDP flood optimized for speed */
#define ATK_VEC_HTTP 10 /* HTTP layer 7 flood */

When considering the potential here, remember that at around 1Gbps, most organizations struggle to stay online, according to security firm Arbor Networks. A 1Tbs is, obviously, a thousand times bigger than that – something even a specialist hosting company struggled to manage.

And now, within a few weeks, an even larger DDoS attack appears to have taken place, also using IoT devices, impacting household names such as Netflix, Twitter, and Amazon, amongst others. Estimates vary wildly, from around half a million devices to potentially several million, but in the end, it doesn’t matter how many devices were hit because if a well-coordinated attack using 150,000 devices can crank out a 1Tbs DDoS, (and one presumes 500,000 can hit significantly higher numbers) then we’ve barely begun to feel the potential of this style of attack.

Remember, we’re talking the IoT here. That means, not hundreds of thousands, or even millions of devices. The IoT will be measured in BILLIONS.

And sure, most of those will be safe and secure – or at least many of them – but take just five percent of, a conservative, 6 billion devices, and you end up with thousands of botnets capable of taking down pretty much anything you aim them at.

Enable those “things” to be controlled by an unfriendly nation state and you could see a massive impact on the US or global economy. Put them in the hands of professional hackers and criminal gangs and you have a death-star sized gun pointed at the head of every online business on the planet (and an upgrade from the traditional Low Orbit Ion Cannon).

We have a window of opportunity, a small one, to define security standards for IoT devices, to force manufacturers to adhere to them, and to name and shame those that don’t. Specifically we should be looking at the kinds of safety certifications we already have for consumer devices, electrical goods, and other components, such as provided by UL (safety organization) or a similar body.

Consumers will likely be the first (and possibly last) line of defense against the widespread hijacking of the IoT to conduct assaults like DDoS attacks (and others); therefore they will need to be able to make intelligent, informed purchasing decisions. Flooding the market with poorly secured IoT devices could cause serious damage and, as we’ve seen, the IoT is already fertile ground for creative attackers.

As is usual in these cases, the window for implementing these standards is finite, and never lasts as long as we might hope. If we miss it, then the early days of the World-Wide-Wait will seem like a fond golden age. If we fail to force security as a primary attribute of the IoT, the world’s most powerful high-tech toolset could turn it into very, very fallen angel indeed.