On 21 October 2016, a massive distributed denial of service attack targeting Dyn, an American provider of underlying internet name services, caused internet outages across the Eastern United States. Prior attacks using the same techniques targeted journalists and French hosting provider OVH. In these attacks, millions of internet of things (“IoT”) devices were subverted, unbeknownst to their owners, and used in attacks across the internet. These attacks are just the beginning, and we expect more attacks in the coming months as more and more bad actors begin to exploit these weaknesses.
A New Strain of Evil: Mirai
These attacks are driven by an attack vector known as the Mirai botnet, which exploits default, hard-coded passwords in many common IoT devices, such as network attached video devices and network cameras. Of note, contrary to many media reports on this issue, these attacks are not at all sophisticated; they simply make use of widely-known default passwords for these devices. Once an IoT device is infected, Mirai sets to work infecting neighboring devices. When the attacker is ready, a network of these devices is directed to attack a larger target, leveraging the combined resources from thousands of internet connections to launch a “denial of service” attack, flooding a target with so much traffic that it is unable to respond to legitimate requests.
To explore the scope of Mirai, the Cyber Forensics group at Duff & Phelps created a “honeypot” by placing a decoy computer on the internet designed to appear to be a vulnerable IoT device. In less than 10 minutes, our computer received over 350 connections from 174 unique IP addresses. These connections came from Brazil, Turkey, China, Eastern Europe and many other countries around the world. Some estimates indicate that a typical IoT device will be infected by Mirai within five minutes of being placed on the internet. Removing Mirai is as simple as rebooting a device; however, the device will almost certainly be re-infected within minutes if turned back on.
These attacks have sparked debate on the need for manufacturers of IoT devices to prioritise security in the design of their products. Almost by definition, IoT devices are designed to be accessible over the internet, and not simply from a user’s home network. This makes security easy to overlook but essential, as attacks can come from anywhere in the world. Many of the devices include an administrative console (command shell) accessible over Telnet, a communication protocol that dates back to the 1960s. Telnet has been superseded by more secure protocols such as secure shell (“SSH”), but it remains in the background in many contexts because it demands low network resources and is very easy to deploy. Attackers are continuously scanning the internet for devices listening on particular ports, because certain applications using these ports have known vulnerabilities. In the case of Mirai, attackers targeted devices listening on transmission control protocol (“TCP”) port 23, and cycled through various default passwords, hoping to compromise a vulnerable device. Port 23 is a well-known port used by Telnet.
As mentioned above, Mirai is exploiting default passwords which are hard-coded into the device. To make matters worse, the default password on many of these devices cannot be changed easily by the consumer because the software needed to reset the password is not included. Although the consumer devices do not require Telnet to operate normally, some manufacturers have left Telnet administration capabilities enabled, presumably for debugging purposes and maintenance operations.
Containing the Outbreak
In the wake of the attack on Dyn, Chinese manufacturer Hangzhou XiongMai, which produces components for many of the affected devices, issued a limited recall. XiongMai’s market size is difficult to quantify, because not only does it manufacture a line of network security cameras, it also sells control boards to literally hundreds of other security camera manufacturers.
The scope of the Dyn attack has triggered renewed interest in government regulations on device security for IoT devices on the market. Some in the information security community are calling on regulators to mandate minimum security standards for devices. The effects of such policies are difficult to predict, especially as the attacks take place across jurisdictional boundaries.
A variety of measures have already been proposed within the information security community to combat Mirai and other attacks served from botnets. One proposed measure calls upon internet service providers to block traffic to consumer connections on TCP port 23. Right now, most consumer ISP’s block inbound traffic to, and outbound traffic from, customers over port 25, which is used to send email. This policy dates back to the 1990s, and has been highly effective in preventing spam email. It would be relatively trivial for an ISP to extend this policy and block port 23 as well. ISP’s could make policies re-enabling it only at the request of the ISP customer. This change would only minimally impact consumers, while effectively mitigating much of the risk posed by Mirai; however, this solution works only for Mirai and the logical question is how many ports ISP’s should block as new vulnerabilities come to light.
Some commentators are calling for a shift in regulatory posture, and are suggesting specific legal changes to make manufacturers liable for damage caused by their devices. Right now these devices operate under an end-user license agreement that assigns all liability to the user or owner. If laws were enacted to assign liability to the manufacturer in case of negligence with regards to cybersecurity, manufacturers would be forced to build more secure products.
Others are suggesting that some sort of standards body be established to test and certify networked devices. Software and hardware would be sent to this lab and tested by experts, and would only be available for sale if its security was validated by an outside lab. Others have contended that such legislation is ineffective against attacks from around the world; devices in a county without such regulation could attack one with such protections.
On 5 December 2016, the United States Federal Communications Commission (“FCC”) released a letter to Virginia Senator Mark Warren, which included a “risk reduction” work plan addressing the security of IoT devices. The risk reduction proposal was placed on hold by the FCC pending the transition of the new presidential administration in late January. This is noteworthy, as it is the first time the FCC has entered the fray in potentially regulating IoT devices, which it proposes to do subject to its existing legal authorities, and such action may prove controversial. Elements of the agency’s proposed rulemaking include “cybersecurity certification (possibly self-certification)” and a labeling requirement to educate and to allow consumers to evaluate cybersecurity risks of products or services.
Some in the United States are even calling on the government, through the National Security Agency, to simply “brick”, or remotely destroy, all devices that are infected. The approach here is akin to the public health arguments used when sick individuals are quarantined, or when a dilapidated house creates a hazard to surrounding structures and is demolished. These infected devices pose a public health risk to the internet, and many believe that it is appropriate for authorities to take drastic action to maintain this key infrastructure.
It is worth noting that we are already seeing counter-Mirai malware, which logs into these devices and secures them against further attacks, before deleting itself. This protects the devices from further exploitation without causing undue disruption. At this time, it is unknown who is behind these attacks, but this well-meaning, legally questionable repair effort illustrates that many avenues exist to retroactively secure the network from compromised devices.
A New Threat Requires a New Approach
Manufacturers throughout China and beyond will be impacted by both judicial, legislative and regulatory intervention as well as increased consumer awareness as to the dangers of internet connected devices. As new regulations are enacted, manufacturers will need to adapt their designs and processes to accommodate the new laws, as well as deal with the cost of obtaining certification. Similarly, increased consumer awareness will drive the marketplace towards more transparency and stricter guarantees of product quality. The cost and efficacy of such changes remain unknown, but will undoubtedly reveal themselves in the coming year.
Lastly, it is worth considering that a single company, Dyn, was relied upon by hundreds of very large players, including PayPal, Twitter, Reddit, Spotify and The New York Times. When Dyn was under attack, these companies, and their users, were as well. Businesses and institutions are increasingly outsourcing core operations to third parties. While this carries with it significant cost and efficiency improvements, it also makes those businesses wholly dependent on outside infrastructure. Adding a secondary DNS service provider is an easy way to mitigate attacks such as the one on Dyn. Designing distributed systems that are resilient to other attack outages remains a difficult problem for computer scientists, and a highly important area of current information security research.
Solicitors and in-house counsel representing clients in the device manufacturing industries should pay close attention to the potential for regulations in light of this new threat. Clients should also be cognizant of the potential shift of liability risks from the hacking of IoT devices to the manufacturers in a number of circumstances. When hiring outside vendors, law firms and legal departments should also be aware that the network and hardware vulnerabilities of their third-party providers could affect their operations and their clients.