Hackers Used the IoT to Create an Unprecedented DDoS Attack—Now What?

By Mary Catherine O'Connor

We asked security expert Dan Lohrmann what a massive cyberattack on cybersecurity journalist Brian Krebs' website means for the wider Internet of Things industry.

For years, security experts have been raising alarms about the poor security with which IoT products were being sold, saying that the failure to build strong authentication measures and other security features into products, from the ground up, would someday lead to a major breach—with perhaps a major manufacturer caught in the crosshairs.

On Sept. 20, that is what happened—except that rather than targeting a household brand, the hackers took aim at an investigative reporter, Brian Krebs, who covers cybersecurity.

Dan Lohrmann

In an attempt to take down his website, KrebsonSecurity, hackers infected a massive network of computers with malware, creating a botnet that perpetrated the largest distribution denial-of-service (DDoS) attack ever recorded.

What is perhaps most alarming about this attack is that the botnet that the hackers created largely comprised IoT devices, namely IP-based video cameras.

Akamai Technologies, which provided Krebs with cloud security services pro bono, deflected the attack for a day but eventually threw in the towel. (Google Shield, a service the search giant recently launched to protect journalists who come under attack from DDoS hacks, has since brought the website under its wing.)

In response to the attack, Shaul Levi, chief scientist at AVG Innovation Labs, a research arm of security software company AVG Technologies, wrote that this attack had broad implications. "The security of families' local data and devices will live or die based on protecting the central entry point to their home network. But equally, there's a responsibility to protect those devices from being used against society as a whole."

We asked Dan Lohrmann, chief security officer at Security Mentor, which provides companies with security awareness training, for his take on the attack. What follows is a transcript of our email-based interview.

IOT Journal: Were you surprised to hear of the DDoS attack on Krebsonsecurity.com?

Dan Lohrmann: Yes, I was shocked by the size of the DDoS attack against Krebs' blog. I was also really surprised by the scope of the IoT botnets used against him.

This was a new type of high-powered DDoS not seen before. According to the Krebs, this was almost double the size of the largest previous DDoS attacks. Krebs wrote:

"The assault was 620 Gbps in size... previously (DDoS attacks) clocked in earlier this year at 363 Gbps... The huge assault this week on my site appears to have been launched almost exclusively by a very large botnet of hacked devices..."

I wonder: Why did they attack the Krebs' website? Was this to prove a point or demonstrate new botnet capabilities? It certainly could have been for the retaliation reason offered by Krebs: "the takedown of the DDoS-for-hire service vDOS, which coincided with the arrests of two young men named in my original report as founders of the service."

However, it could also have been to get global attention since Krebs is a top cyber blogger. Or, was it to prove a point to [the hacker's] potential clients that the power of such direct attacks are real and can have an impact?

IOT Journal: How key were the IP-based security cameras to the success or scale of this attack? It sounds like the malware, Mirai, was designed specifically to leverage Internet of Things devices that were online, with poorly protected passwords and were therefore vulnerable. Could something of this scale been perpetrated without such IoT devices?

Lohrmann: It's hard to know exactly how many of the attacking machines were IP-based cameras, but clearly they were a very large part of the mix. According to Akamai: "The majority of these devices were identified as security cameras and DVRs and were used in 'Small Office/Home Office' setups. We've confirmed that many of these devices use either easily guessable (admin, password, 1234) usernames and passwords or the default passwords originally configured on the devices. Additionally, the attack included a substantial amount of traffic connecting directly from the botnet to the target, rather than reflected and/or amplified traffic, as seen in recent large attacks using NTP and DNS vulnerabilities."

Some sources were saying that over 1.5 million connected cameras were involved. Connected cameras generally have high-speed Internet access and make prime targets.

The hackers found a vulnerability that allowed them to take control of the devices' underlying Linux operating system when they typed a random username with too many characters. Once they had control, they planted malware on the devices and turned them into bots.

The second question is much easier. Mirai did play a huge role. In this case, the vast scale of unprotected devices clearly played a significant part in this attack. Nevertheless, I would not go as far as to say that there are no other ways to increase the scale of DDoS attacks. The bad guys are constantly coming up with new approaches to hack.

IOT Journal: Since the attack, the code behind Mirai has been shared publicly. Do you expect similar or larger attacks are imminent?

Lohrmann: Absolutely. It is already happening. Forbes reported that tens of thousands of Internet of Things devices, including unsecure routers, digital video recorders (DVRs) and connected IP cameras, were involved in other significant DDoS attacks since the Krebs attack.

I certainly expect much more to come in this area.

IOT Journal: If you were a manufacturer of IoT devices, how would you respond to this attack? What should providers of IoT devices be doing that they're not?

Lohrmann: As noted in our last interview, manufacturers need to build security in from the start. At a basic level, IoT devices cannot ship with default credentials, and the access to web-based administrative interfaces needs to be secure.

In addition, the Cloud Security Alliance (CSA) has just released a guide to securing Internet of Things devices. The report has 13 recommendations. Some recommendations include the need for developers to implement a secure firmware and software update process from day one.

It suggests securing product interfaces with authentication, integrity protection and encryption, as well as obtaining an independent security assessment of the IoT products in production.

Also, the wider network interfaces must be secure. The report recommends securing the companion mobile applications and/or gateways that connect with the IoT products, as well as implementing a secure root of trust [hardware and software components secure by design].