Two things struck me in these attacks, the first one is that the attack was not directed towards a specific well known web site that someone might want to take down, but towards Dyn, a company that maintains a large part of the DNS addresses of well-known web sites. So while the web sites themselves were still fine and up and running, no one could find them as the pointer to them was unavailable.
Army of zombie devices
The second point that struck me is that the attack was done by an army of zombie IoT devices that hackers were able to get control of. That could have been a security camera, a Digital Video recorder or other connected consumer electronics . Sometimes the problem lies with their owners who didn’t change the default admin passwords. ere simply not designed to need protection at all.
Attacks on a global scale
So in fact these devices are cheap, small, commodity hardware components that are widely available. Even if only a small percentage of them is not well protected it can be enough for the hackers to recruit them as soldiers. These armies can grow to over 100.000’s devices, capable of striking on a global scale.
France
It is actually not the first time that such a cyberattack is happening. Just a few weeks ago a similar attack was done in France, where the hackers attacked major French hosting company OVH. In a very similar pattern, more than 100.000 hacked security cameras were used to conduct the cyberattack. This time the attack was directed against the website of one of the OVH customers.
Presidential elections
What are the consequences of such an attack? Since the only aim of those attacks is to make a service unavailable, and not to steal data or alter data directly.
The impact can be that data gets altered indirectly. For example, what if they manage to interrupt large portions of the internet on the day of the presidential elections? They could cause traffic jams by making traffic information unavailable, paralyze parts of public transportation, disturb major news web sites, etc … That would mean less people would go out to vote. Especially if the hackers are pointing their attacks to some well-chosen states it might influence the outcome of the elections.
Or what if those attacks also disturb the infrastructure used in hospitals, patient monitoring devices could be unavailable as they might rely on the availability of an internet connection, perhaps of some cloud service.
Part of the design
Can this kind of attacks be avoided? I don’t believe there is an easy answer here. Of course it is important to tackle the security of these connected devices as close to the source as possible. Security should be an integral part of the design, and not come as an afterthought. Otherwise all that you can do is plug the holes you find. Probably it will be too late and you can never guarantee you didn’t miss a well-hidden backdoor.
Protection
But how can you as an organization protect yourself against such attacks? Again I don’t believe there is an easy answer here, since the attacks are not directed towards the organizations themselves but towards companies that manage the infrastructure of the internet itself. There are some highly specialized tools available to analyze security log files and protect against specific attacks and protect you against attacks. Typically, as protection against the attacks of last week, tools on the infrastructure level are used.
Alternative methods
Most of these tools are made to recognize specific kinds of attacks by resting on a set of rules that was made with known attack techniques. But analytics and machine learning can also play a role here as they might help to spot unknown techniques by looking for abnormal behavior. Especially when combined with the capabilities to analyze streaming data can help you to see the malicious behavior while it is happening, and not only from an historic database long after the facts. Streaming analytics can also be implemented “at the edge”, meaning that it could be embedded close to or even inside the device that might be vulnerable for hacking, so the device could “auto-diagnose” itself through machine learning techniques to learn when it is in a normal state, and when it could have been hacked.
These attacks show us again that there still are single points of failures in the internet and how fragile it sometimes seems. On the other hand, it also shows that despite many efforts already done, security is still a very important dimension to take in account in any IoT architecture.
This blog also appeared in Dutch on Computable.be.