The traitor within – turning your IoT devices against you

The Dyn attack – what happened?

On 21 October 2016, Dyn, a company that controls domain name system (DNS) infrastructure for many of the internet’s big names, like Netflix, Twitter, Reddit, Spotify, Airbnb and Etsy, was attacked by a botnet – a group of malware infected computers.  The attack was a distributed denial of service (DDoS) attack; the botnet, controlled by a command server, overloaded Dyn with traffic until it became overwhelmed.  The DNS is an essential protocol that allows access to websites, so this attack resulted in millions of people across the US suffering disruptions to their internet service.

What was different about this attack?

The Dyn attack was over twice the size of any previous DDoS attacks because it used a Mirai botnet to attack the server.  Whereas standard botnets are made up of computers, the Mirai botnet malware infects Internet of Things (IoT) devices, which in this case was predominantly webcams and DVR players, but includes all internet connected home and wearable technology devices.  Toasters, thermostats, cars, printers, door locks and any device that can be described as ‘smart’ can be an IoT device.  Malware that attacks IoT devices is so problematic because it significantly increases the number of devices which can make up the botnet.

How did this happen?

IoT devices are attractive to hackers for several reasons.  They significantly increase the number of devices hackers can exploit, and they make entire systems vulnerable through interconnectedness.  IoT devices often do not have the same security measures as computers.  They are frequently designed to be cheap and replaceable with limited functionality and processing power.  This means they are vulnerable to attack because they lack the capacity to run robust security measures.  Often they are incorporated in products where manufacturers focus on creating new devices rather than updating the old, leaving old products which remain connected to the internet with outdated security measures.

Minimising security risks

The Dyn attack highlights the security risks associated with IoT devices.  While the attack only resulted in outages to certain sites for a few hours (though obviously, the consequences to Dyn and the affected businesses are huge) it was initially investigated as being a trial-run to derail the U.S. election.  The attack has since been attributed to amateur hackers, which is a relief in terms of motivation, but frightening in terms of the potential harm that can be done.

Organisations need to be aware of these risks when using IoT devices or introducing them to their business practices.  Further, being proactive about security is the best form of protection.  Organisations can minimise risk by:

  • Identifying the security measures and vulnerabilities within IoT devices.
  • Testing devices for vulnerabilities as hacking techniques evolve to determine pre-emptively whether a device is susceptible to security threats.
  • Monitoring devices for unauthorised intrusion.
  • Updating security measures within devices where possible, only using devices that have the capacity to be updated and retiring those that don’t.
  • Understanding what information devices collect and how it is collected and stored.  It is particularly important to ensure personal or sensitive information is encrypted, and to understand who can access it and how.
  • Identifying parties that may be involved in the maintenance, provision or installation of devices, and determining contractual obligations between them and the organisation.
  • Planning for the worst-case scenario.

Conclusion

The DDoS attack on Dyn highlights how complex security analysis and planning has become for organisations.  It is impossible to prevent attacks, foresee all security risks and protect against all forms of security breach and unauthorised access.  However, by understanding their vulnerabilities as far as possible, and by introducing a critical response plan, organisations can continue operations, minimise liability and maintain their reputation in the event of a security breach.

If you have any queries or would like further information regarding this article, please contact:

Simon McDonald
Partner
M: 0402 843 198
E: smcdonald@pageseager.com.au

Grace Williams
Lawyer
T: (03) 6235 5174
E: gwilliams@pageseager.com.au

Copyright © 2016 Page Seager. Privacy Statement Privacy Policy