28 Oct 2016
IoT Insecurity – The New Menace Taking Down the Internet
On Friday October 21, 2016, at the start of the working day in North America major portions of the Internet were seemingly “down” or unavailable. This includes Internet giants like Amazon, PayPal, CNN and others. Internet users were facing error messages as they tried to load those websites, or many others were stuck waiting forever while their websites stalled loading.
This post explains what happened on October 21, and how the Internet of Things (IoT) has played a major role in these attacks, and Intrinsyc’s role in mitigating future attacks.
Figure 1 - IP Camera - cameras like this were responsible for participating in the attack
Before we can explain what happened, we need to explain several key elements of the attack. Dyn Inc., a provider of DNS (Domain Name System) services was flooded with requests that were a part of an extraordinarily large DDoS (Distributed Denial of Service) attack. Before we can proceed, we must understand these terms to understand what happened.
DNS (Domain Name System)
The Domain Name System (DNS) is the address book of the Internet. Every computer or device on the Internet has a globally unique and addressable Internet Protocol address, which is a 32-bit (IPv4) or a 128-bit (IPv6) number. The role of DNS is to translate user-friendly names such as “www.intrinsyc.com” into the appropriate address of the computer, in this example, 18.104.22.168.
A key point in this is that there is no central authority that has the entire list of all the names on the entire Internet – the database is distributed among many computers spread out through the Internet. So when you enter “www.intrinsyc.com” in your browser, your computer reaches out over the internet to figure out what that address is of the machine hosting that website. A simplified explanation of how a DNS lookup is performed follows.
The very first query your computer does is to find out who has information about “.com” names. This goes out to a set of 13 (well-known) servers spread throughout the world called the root servers. These servers are extremely powerful, redundant, highly connected machines that power the entire DNS system and the operators of these servers have spent a lot of time and money to ensure they stay running. After one of these machines receives your query, you get a reply back which is a list of servers that can handle requests involving “.com”.
Your computer then reaches out to one of those servers trying to find out who can handle a request to “intrinsyc.com”. It then gets back a much smaller list of servers who are configured to handle a request for “intrinsyc.com”. Finally, it uses that list of servers and asks them what the IP address of “www.intrinsyc.com” is, getting back 22.214.171.124.
Your browser then takes that address and establishes a connection to 126.96.36.199 to retrieve the homepage of Intrinsyc.
All these accesses increase browser pageload times (it can take several seconds to do a lookup) so DNS servers implement caching – it is not necessary to look up the list of servers for “.com” each time because changes to the server list happen infrequently. This speeds up lookup time for browsers and other internet applications and reduces server load by not having to answer so many queries.
Figure 3 - Illustrated DNS Lookup
DDoS (Distributed Denial of Service)
A Distributed Denial of Service (DDoS) is a broader form of the Denial of Service (DoS) attack. The fundamental nature of the attack is in the name – that is, to cause a service to be denied. Thus users are unable to utilize services provided by the remote computer, which may include retrieving web pages for viewing, online gaming, e-commerce, etc. These attacks typically happen by flooding the remote computer with many legitimate-looking requests which overloads the computer and rendering it unusable.
In a Distributed Denial of Service attack, these requests flooding in come from many, many, many Internet users. While in a DoS the attack usually comes from a few hosts (and are easily blocked at the firewall), a DDoS employs thousands to hundreds of thousands of computers making requests simultaneously, making it extremely difficult to block, or even to filter out the illegitimate requests of these machines from legitimate requests made by users trying to access the service.
Dyn Inc., is a provider of hosted DNS solutions. That is, they offer many DNS related services, including hosting their own set of DNS servers so owners of domains do not have to manage their own DNS servers in-house. On Friday October 21, 2016, the DNS servers Dyn provides were suddenly flooded with traffic, bogging them down and making them unresponsive to new queries.
With Dyn’s DNS servers effectively offline, users trying to access affected websites were stuck as their computers failed to translate the names to IP addresses. After a few hours, the attack let up and users were once again able to resolve the hosts and visit those websites. Around noon Eastern time, the attacks resumed, making those sites unreachable again.
These attacks attached random names to the domain to render caching invalid (e.g, instead of looking up “www.intrinsyc.com” they would look up an invalid host like “00000001.intrinsyc.com” while another would look up “00000002.intrinsyc.com”). Since each is a new request, the server must process each independently and can’t rely on a cache to help out. This also has a secondary effect that the caches themselves get overloaded by caching data that will never be looked up again.
The interesting point is that while Dyn was unreachable, the websites affected were completely accessible. It was the inability for client computers to look up the vital IP addresses in order to connect to those websites that was the fundamental issue.
What’s Different This Time Around?
DDoS attacks are not rare. In fact, they’re so common most sites don’t bother reporting the events. However, what makes this attack special is the sheer number of websites affected, and even more importantly, the source of the attack.
In a traditional DDoS attack, hackers normally compromise a bunch of computers, typically those running the Windows operating system. They do this through various known vulnerabilities in Windows, many of which are fixed in various Windows updates. Other ways of infecting your machine include visiting questionable websites that download and run executable code (using exploits in say, Java, Flash, or Acrobat Reader (PDFs)). Or they email a link to an executable or an Office document that infects the machine when you download and open the file.
In this case, the devices making the requests were not computers, but Internet of Things (IoT) devices like surveillance cameras, digital video recorders and other devices of convenience. What makes this possible is that a large majority of these devices are actually made by one company, but sold under many different brands. This means a single vulnerability to one device can often be exploited on many such devices, easily numbering into the millions.
Mirai is the name of one such piece of exploit software– it scans for vulnerable devices and when it finds one, it runs the exploit in order for third parties to take control of the device. To make things more complicated, the source code to Mirai was released earlier in the month, enabling any hacker to quickly download, modify and compile their customized version of the Mirai exploit kit and infect many IoT devices at once.
The sheer number of IoT devices has also accelerated the scale of the attacks – an earlier attack on Brian Kreb’s website (see Resources below) achieved a total attack bandwidth of over 620 gigabits per second. Few home connections achieve 1 gigabit per second speeds, most achieving well under 100 megabits per second. And the next generation attacks are supported to reach speeds of over 1 terabit per second. There is no technology in the world that can sustain this sort of traffic and remain functional.
The other difference is that instead of attacking the service itself (most DDoS targets are a specific website), the attack focused itself on the infrastructure of the Internet. By concentrating the attack on Dyn, any website using Dyn’s services were effectively offline even though they were not handling unusually heavy loads.
How IoT Makes DDoS Easier?
IoT enables many devices to be easily accessible over the Internet. They offer the added convenience of being able to check up on the house while away from it, see who is at the door, or even take deliveries while away. The big problem is few of these devices have taken the necessary security precautions to prevent them from being hacked. IoT is a hot field and more and more companies are rushing product out to be the first to market, and while doing so they often ignore basic security precautions and the customer ends up being hacked.
Such issues are remote access interfaces that are often left in “for debugging purposes” but secured with a well-known public password. The administrative interface (usually a webpage) may be secured by a default password that remains unchanged (attacks involving home routers usually choose this method of exploit). The software that the device runs may also include out of date software containing well known flaws that make it easy to exploit and hack.
In addition, many of these devices are set up and left alone – most users will simply plug it in and get it working, but fail to protect themselves by changing passwords or security settings.
Shodan (see Resources) is a “search engine for IoT” devices. It scans for improperly configured IoT devices using default passwords, or those with well-known administrative interfaces that are publicly available on the Internet, and exposes them to simple searches users can perform. You can use it to search for cameras that are publicly viewable, whether or not the owners intended it to be that way. Insecam (see Resources) is a similar site that catalogs insecurely configured IP cameras that are exposed for public viewing.
If you own any sort of IoT devices, you can use the IoT Scanner (see Resources) to see if any are vulnerable or inadvertently publicly accessible and secure your devices from being a participant in these attacks.
Finally, the sheer number of these devices makes them attractive targets. While a traditional hack on a PC would net thousands of computers, a successful hack on common IoT devices can net millions, if not more. With estimates of over five billion installed IoT devices by the end of 2016, any attack that works on even 1% of devices represents a significant number of devices. The more devices available, the faster an attack can proceed.
Figure 4 - Xiongmai Technology announced a recall of its turnkey IoT IP camera modules implicated in the attack
Intrinsyc is a supplier of IoT devices. Are Intrinsyc’s devices secure?
Intrinsyc is a supplier of IoT devices and our customers build products based on our devices. Our devices support Linux and Android operating systems and both operating systems are very secure and contain the latest in security technology. Our devices are not sold to retail customers where the customer needs to change passwords or adjust security settings. Our products are sold to manufacturers who in-turn sell industrial, consumer or enterprise products based on our products. It is our customers’ responsibility to ship secure products to their customers – it would be impossible for us to dictate to our customers that they ship secure devices – and their in-lies the problem. Even though Intrinsyc supplies state of the art secure products to our customers, our customers are in control of the software and can ship products to their customers that are not secure. Furthermore, there are no standards or certification bodies, or laws, to ensure that products are shipped with secure software. Unlike UL and CSA certifications for health and safety, there are no rules to ensure secure products are sold. As a supplier of IoT devices, we do work with our customers to make sure they understand the importance of security and that they are using industry best practices to ensure their products are secure.
James Ng is an Embedded Software Engineer for Intrinsyc Technologies. He has worked extensively in embedded connected devices running Linux, Windows Embedded, and Android. James has a Bachelor’s of Applied Science in Computer Engineering from the University of British Columbia.
Brian Krebs, KrebsOnSecurity discusses many IoT vulnerabilities and was knocked offline by Mirai with a unprecedented 620Gbits/sec attack - https://krebsonsecurity.com/
Dyn, Inc., statement on the attack - http://hub.dyn.com/static/hub.dyn.com/dyn-blog/dyn-statement-on-10-21-2016-ddos-attack.html
IoT Scanner – detects if you have any vulnerable or easily attacked IoT devices on your network - http://iotscanner.bullguard.com/
Shodan – the IoT search engine - https://www.shodan.io/
Insecam – catalog of insecure IP cameras for public viewing - http://www.insecam.org/