Could the Mirai botnet that took down a substantial portion of the most popular sites on the Internet a few weeks ago wreak havoc on Election Day? What does the Internet of Things-based malware bode for the near future of Internet security?
Since the Mirai attack, a number security professionals have expressed concern about a similar attack on Election Day, not to disable or alter voting machines or vote tabulation computers but instead to create fear, uncertainty, and chaos across sites that U.S. voters would want to access tomorrow, such as news, maps, and social media. One of them is Brian Knopf, who for years has worked to build and secure Internet of Things devices for Belkin and is now working on an IOT user identity product at Neustar.
“We’re seeing a shift where the whole idea of taking the Internet down is a very real possibility. I actually expect a very big attack on November 8,” Knopf told The Parallax. “You don’t have to hack the election; you just have to imply that you’ve hacked the election.”
Regardless of whether there is a massive Internet disruption timed with the U.S. election, security experts agree on one thing: As more Internet-connected devices come online, they will continue to be exploited by hackers until stronger security protocols have been implemented. And because many of these devices can’t be easily updated, or even updated at all, the long-term consequences of Internet of Things’ vulnerabilities will be a less secure, less stable Internet.
The Internet of Things, a catchall phrase that describes connecting everyday devices such as refrigerators, door locks, and watches to the Internet, is rapidly growing. Market research firm Gartner concluded in April that “6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 11.4 billion by 2018.” Gartner’s numbers appear to bear out for at least one company: chipmaker Intel, which grew its IOT business by 14.3 percent year-over-year to $1.912 billion in the third quarter of 2016.
“There is no single silver bullet to fix this. The default state of the Internet of Things is vulnerable.” — Josh Corman, director, Cyber Statecraft Initiative, Atlantic Council
Gartner also predicts that security spending on IOT will increase, but at a fraction of IOT revenue, from $348 million in 2016 to $547 million in 2018. That takes us to the current situation with the Mirai botnet, with more than 500,000 hacked Internet of Things devices spread across 164 countries, linked together through open-source malicious software, which can be used to overwhelm targets with Internet traffic in order to prevent anybody else from accessing the target.
Mirai has been used successfully several times to cause irritating but ultimately temporary havoc, most notably a distributed denial-of-service attack to disrupt Dyn, an Internet services company through which access to Netflix, PayPal, Spotify, Twitter, Reddit, and thousands of other websites flow; force a journalist off of the Internet; and block Internet access to an entire country.
Despite the breadth of Mirai, it appears that its full power has yet to be tapped. The September 20 attack against computer security journalist Brian Krebs was 630 gigabytes per second. A few days later, the French Web host OVH was hit by an attack of 1.1 terabytes per second. Dyn says the attack against it could have been as strong as 1.2Tbps, double the attack against Krebs, but it used only about a fifth of the devices infected with the malware that drives the botnet. Larger, more disruptive, and possibly destructive attacks are nearly a given, says Josh Corman, director of the Cyber Statecraft Initiative at the Atlantic Council.
“There is no single silver bullet to fix this. The default state of the Internet of Things is vulnerable,” he says. Because Mirai is open source, “any adversary can harness those devices, destroy them, or compromise them. You can send spam, you can send DDoS attacks. You can rent out the botnet, sell the botnet, or do hacktivism. An unpatchable device represents more risks to the Internet of Things than other threats.”
Although the Mirai botnet is hardly the largest ever—that dubious honor can be given to decade-old viruses and worms like Conficker, Cutwail, and Storm—the near-impossibility in removing Mirai from these devices makes shutting it down far more difficult. Corman calls it the “canary in the coal mine,” a “manifestation of security debt we’ve been allowed to accumulate.”
“If you require the ‘thing’ to be secure out the door, innovation on the Internet will go away.” — Robert Graham, computer security researcher
He’s not alone in trying to sound the alarm about IOT security. Allan Friedman, the director of Cybersecurity Initiatives at National Telecommunications and Information Administration in the U.S. Department of Commerce, said on a recent press call about the Mirai botnet that some manufacturers are starting to take IOT security more seriously.
“One [manufacturer] started a recall of their products,” he said, alluding to a Chinese IOT device maker whose products were infected with Mirai and part of the Dyn attack. “Part of the role of government here is to create the rooms necessary to have these conversations. There has to be collaboration between technologists and manufacturers,” Friedman says.
Because so many of the devices infected with Mirai are not updateable through traditional means, and the Mirai botnet itself prevents most other botnets from infecting a device controlled by Mirai, removing it is incredibly difficult, Knopf says. One proposed solution is a “white worm,” a virus designed to infect IOT devices already infected with Mirai and close the vulnerability that allows Mirai to function. However, this has not been tried as of yet.
“There need to be standards put out there, and we need to enforce them internationally. Most manufacturers are in Taiwan and China. If they don’t change, we’re going to keep getting poor-quality products,” he says.
Getting manufacturers to change is no trivial task, either. For many, security researcher Robert Graham says, their profits margins are just too small to secure every device.
“If you require the ‘thing’ to be secure out the door, innovation on the Internet will go away,” he says. “You won’t have small companies making innovative devices. You’ll have whatever General Electric wants to ship to you. The cost of bad security has been tiny—we had a brief disruption in the morning [of the Dyn attack], and that was it.”
While that may be true for some manufacturers, others consider the cost of security an essential part of the product development process. Nathan Smith, co-founder and chief technology officer of Wink, which makes a hub that manages home IOT devices from lightbulbs to toasters, says his company spent $100,000 having General Electric test the security of the Wink hub. Wink then spends $100,000 to $200,000 per month to connect the 1.7 million Wink hubs in the market to its servers, at a cost of 10 cents to 20 cents per device. That’s just the computing power; it doesn’t include the cost of Wink’s employees.
“The cost to run our servers is not something that we add to the product,” he says, because while there are cheaper competing products out there, “we offer a different class of product. It’s the difference between buying a car that runs, and one that needs a lot of work.”
The Mirai botnet has infected devices like cheap video surveillance cameras that are unprotected by firewalls, have unchangeable passwords hard-coded into the device, and have software ports exposed to the open Internet. That worries Dr. Suzanne Schwartz, associate director for science and strategic partnerships at the FDA, because many Internet-connected medical devices used in hospitals and exam rooms have been built the same way.
While the FDA has issued guidance for manufacturers making Internet-connected medical devices that advises not making the same security missteps exploited by the Mirai botnet, including hard-coding passwords into devices, and outlines how to manage insecure devices already in use, there’s no low-cost way to replace insecure medical devices.
“Enough ransomware attacks involving hospitals in the U.S.—and outside the U.S. as well—have interfered with the ability of the hospital to carry out its normal activities,” Dr. Schwartz says. “Such a botnet could be deployed through medical devices and is problematic. This is not theoretical, and can be very real.”