Zombie Outbreaks, Inoculations and the IoT

By Jim Hunter

When fundamentally insecure devices are connected to the Internet of Things, this does a disservice not only to consumers, but to everything else on the internet.

Let me start by confessing that I'm not a big believer in immunizations. I'm not talking about the debate between vaccers and antivaccers, or any controversy around the effects of chemicals introduced into the body. Mainly, I just hate needles.

But I do realize the benefit of taking basic precautions to prevent infection and, more importantly, to prevent an outbreak. My issues with needles would be immediately resolved if a human zombie outbreak were to occur. If there was a zombie army that turned people into mobs of infectious and dangerous adversaries attacking with a single intent, I would be first in line for preventive treatment.

A very real kind of zombie attack is exactly what happened this past Friday, when an army of technological "zombies" were directed to relentlessly attack the DynDNS lookup service managed by New Hampshire-based internet infrastructure company Dyn.

For context, here's the abridged version of what happened: The DynDNS internet service keeps track of where many major websites "live." Essentially, it's the phone book of the internet. The zombies in this case were internet-based "things" that had been re-purposed by malware so as to mindlessly and repetitively attack the service en masse. The things were easy targets, as they'd had absolutely zero preventative care—their owners had never changed their default passwords.

When the Centers for Disease Control investigates an outbreak, the key is to find where it all started. In addressing the internet's zombie attack, the source traces back to a generous hacker by the name of "Anna-senpai," who released code for a program called Mirai. Mirai wanders about scanning for and infiltrating victim devices using the top 60 or so default usernames and passwords of internet-connected things. It turns out that an abundance of digital video recorders, routers and IP cameras have been purchased by their owners, then plugged in and operated using the default factory passwords—"admin," "1234" and the venerable "password." Once identified, Mirai was downloaded into them and they were infected. Mirai's sole purpose was to zombify these devices, and to force them to jointly perform a single purpose—relentlessly attack an internet target. On Friday, that target was the DynDNS service—the result was breaking the internet's phone book and wreaking all kinds of connectivity havoc on Github, Twitter, Amazon and a host of other sites and their users.

While the things' owners, having done nothing to protect these devices, were certainly part of the problem of adding to the zombie ranks, they are not really the ones who should be held accountable. The fact that a thing is even allowed to operate online with a default username and password is the bigger issue. This is not only a disservice to purchasers of these IoT products, potentially putting them at risk for all kinds of nasty infiltration and invasion of privacy scenarios, but it is also a disservice to everything else on the internet, as was proven Friday.

At a minimum, companies should immediately be implementing better ways to secure their connected products. For example, the default generic username and password could be enabled to work only the first time a product is turned on. Some sensible companies are steering their username-password combinations away from the generic entirely, so that they are unique for every single product sold. Whatever actions companies take, one thing is clear: they should not allow an internet product to be available and operate on the internet without the proper protection against infection. The username and password are the first line of such defense.

Though it may bear little resemblance to the world of The Walking Dead, zombies are now real. As last year was drawing to a close, I wrote about how this would happen. Now I am sad to tell you that this is just the beginning—and I'm not alone in making that prognosis.

We ought to prepare and start protecting ourselves sooner rather than later. To battle the coming epidemic of zombie outbreaks, we need a massive immunization campaign. If something is allowed on the internet, it must be made safe for both its unsuspecting owner and for the internet itself.

The world is a different place now. Anna-senpai released the Mirai source to the public at large, which means that—just in time for Halloween—anyone in the world can now modify the code to make and mobilize their own zombie armies.

Jim Hunter is the co-chairman of the Committee on Privacy and Security for the Internet of Things Consortium, an non-profit IoT industry group, and is the chief scientist and technology evangelist at Greenwave Systems, a global IoT software and services provider. He is a highly regarded technologist with multiple patents, and is a well-respected thought leader, author and speaker. Follow him on Twitter at @theiotguru or @GreenwaveSys.