Don’t Blame “IoT” for Security Attack; Blame Lazy IoT Measures

Editor’s note: Mark Wright is Director of Product Management on the ARTIK team at Samsung Strategy and Innovation Center. 

By now you’ve heard or read plenty about the October 21st cyberattack that temporarily brought down a number of large websites. The Internet attack has been traced to the Mirai malware that did its damage through a massive distributed denial of service (DDoS) attack directed at Dyn, a domain name service (DNS) provider.

The DDoS attack swamped Dyn’s DNS system so that the websites using Dyn—which included Twitter, Amazon, Reddit, Spotify, Airbnb, Netflix, Tumblr, and others—became unavailable to users. That’s because without the DNS operating, the website URLs could not be translated to their corresponding IP addresses—essentially cutting off access to the websites.

The Mirai malware utilized a botnet of hacked connected home devices including IP video cameras, DVRs, and Wi-Fi routers. Because Mirai hijacked connected devices to launch its DDoS attack on Dyn, many people are saying that “the IoT” is to blame for the cyberattack.

Can We Blame IoT for the Attack?

So, can we pin the cause of the DDoS attack on the Internet of Things? Sort of, but not entirely. Let’s take a closer look.

For one thing, the connected devices in this case are primarily peer-to-peer; they did not use a secure IoT cloud. Technically, “real” IoT devices operate using cloud connections rather than just internet remote control or remote viewing devices.

Additionally, the connected devices that the Mirai botnet hacked into mostly used default usernames and passwords that the devices had shipped with.

The Mirai malware has 68 username/password pairs programmed into it. It works by crawling the web looking for open known ports (such as SSH and Telnet)  and then tries those 68 pairs. When it finds a match, it gets access to the device, injects its malware, and takes over. In the October 21st event, tens of millions of Mirai-infected devices were ordered to launch a coordinated attack on the Dyn DNS system.

The important point here is that the vulnerability was not with IoT in general, but specifically with connected devices that had default or simple—and therefore extremely easy-to-guess—usernames and/or passwords. As a result, only a few easily recognized username/password pairs could be used to affect tens of millions of nodes.

What We Can Learn

There are a few important lessons that both manufacturers and consumers can take away from this recent cyberattack:

  • Manufacturers: Recognize how connected products are different from stand-alone products. Manufacturers need to change their mindset when designing and deploying connected products. They have to realize that they’re creating devices that will operate on the Internet, a public network. Their responsibility for the security and operation of those devices is no longer between just the manufacturer and its customers, but now also encompasses the rest of the world. Manufacturers need to think more like engineers or networking experts than like old-school manufacturers.
  • Consumers: Change default passwords. End users can’t be complacent or lazy about the security of the connected products in their homes. That means changing passwords and/or usernames for every product that’s set up, as soon as it’s set up. It also means changing passwords regularly, and resetting devices such as Wi-Fi routers with each new password.
  • Manufacturers: Enforce better security practices. With the Mirai attack, a mere 68 username/password pairs were able to infect tens of millions of nodes. By forcing users to change their passwords, manufacturers could significantly limit the effects of similar botnet attacks by eliminating the easiest-to-guess credentials. Of course consumers should change their passwords, but manufacturers need to take steps to compel consumers to do the right thing.
  • Manufacturers: Use secure mechanisms in your connected products. This includes adding hardware secure elements, a secure operating system (OS), secure boot image, and the use of up-to-date certificates.
  • Manufacturers: Remember that with IoT, the user interface becomes an app. Many of the connected devices commandeered for the Dyn DDoS attack used a web interface as their user interface. End users could change the passwords—but the password change was reflected only in the web interface. The devices also had a Telnet or SSH connection not accessible to users—designed for communications directly between the devices and the manufacturer, such as to update software—with a permanent username/password combination. Manufacturers need to make sure that end users can alter the passwords for all the connections. They shouldn’t assume that their customers “don’t need to know or access” certain portions of the devices.

The Most Important Lesson: Use an IoT Platform

Designing and manufacturing IoT devices is complex and difficult. But as the latest Mirai cyberattack demonstrates, manufacturers of connected products can’t afford to practice “lazy IoT”.

The easiest and best way for manufacturers to ensure that their IoT products are as secure as possible—and that the security mechanisms are constantly updated as new security threats and technologies emerge—is to rely on an IoT platform such as the Samsung ARTIK Smart IoT platform.

An IoT platform provides manufacturers with:

  • Integration of security at the node ( such as Secure Elements, and secure OS)
  • Secure cloud connections
  • Secure boot images and secured over-the-air (OTA) updates
  • Certificates that enable an IoT device to identify itself as well as what it’s connecting to
  • Device access control
  • Authentication of access and communications
  • Data protection and user privacy
  • Adherence to the latest security standards
  • Assurance that the manufacturer’s IoT devices stay up-to-date with security best practices

This allows the manufacturer to concentrate on their device domain expertise, including validation of functions, such as confirming the communication that, say, a printer is trying to do is valid – should the printer be accessing Twitter?

The Samsung ARTIK Smart IoT platform encompasses end-to-end security features so manufacturers don’t have to spend time and resources becoming IoT security experts and staying up-to-date with all the nuances of IoT security.

Manufacturers still need to do things like requiring end users to change passwords. But using an IoT platform with end-to-end security capabilities will make it much easier for manufacturers to incorporate security best practices into their connected products. That will go a long way toward banishing lazy IoT, so that future cyberattackers have to work really hard to replicate the outages of October 21st.