December 2016
Volume 31 Number 13
[Editor's Note]
The Internet of Pwned Things
By Michael Desmond | December 2016
.jpg "Michael Desmond")
In the September issue of MSDN Magazine last year, I wrote about a pair of hackers who demonstrated how they could seize control of a Jeep Cherokee SUV over the Internet, cracking the car’s infotainment system to manipulate brakes, transmission and other controls (“The Internet of Car Wrecks,” msdn.com/magazine/mt422336). As I wrote at the time:
“I see all this as an early test of the Internet of Things (IoT) concept. Carmakers are not uniquely negligent in securing IoT systems—by most accounts, almost everyone is bad at it—but the risk they face is severe.”
I didn’t know the half of it.
On a quiet Friday in October, millions of webcams, digital video recorders (DVRs) and other connected consumer devices rose up to mount a sustained distributed denial of service (DDoS) attack against Domain Name Server (DNS) provider Dyn. The digital assault hauled down the Dyn DNS service and denied access for millions of people to prominent Web sites and services, including Twitter, Tumblr, Amazon and Netflix.
Of course, DDoS attacks are nothing new. Since the turn of the century hackers have been leveraging infected client PCs and servers to act as packet-hurling zombie armies that overwhelm targeted Web sites and services. This time the attack came not from infected computers but from a vast pool of compromised Internet-connected devices. The resulting assault was unprecedented in both size and character, overwhelming the Dyn infrastructure and causing its DNS service to fall offline.
Security experts have been warning for years about the proliferation of unsecured or lightly secured devices as part of the IoT movement, and now the chickens are coming home to roost. The attack, executed using Mirai malware, involved tens of millions of IP addresses to become the most massive DDoS campaign in history, outpacing the 620 Gbps attack aimed at the KrebsOnSecurity site in September.
How were hackers able to seize control of such a vast army of IoT devices, you ask? By using the sophisticated technique of attacking the devices with their default passwords.
I hope you’re detecting the sarcasm here, because I’m laying it on pretty thick.
The IoT promises to usher in a golden age of intelligence, automation and control, where millions of smart devices communicating and working in concert promise to transform everything. But the failure to secure these devices, or to establish an industry standard to set a benchmark for securing them, is producing some grim outcomes. Call it the Internet of Pwned Things.
The sad fact is, we had a chance early in this revolution to do the right thing. To take security seriously and establish a hardened fabric of connected devices that could, at the very least, resist the inevitable forces that would seek to exploit them. But we didn’t do that. Even carmakers, whose products could place their customers in mortal peril, failed to take rudimentary steps to secure their devices.
But on a quiet Friday in October, everything changed. And maybe now we will see meaningful action to secure and protect the devices that we expect to shape the digital landscape for decades to come.
Michael Desmond is the Editor-in-Chief of MSDN Magazine.