IT security just changed. Until now, it was tough, but people had a handle on it. The range of attacks was understood, and technology such as firewalls and threat detection were evolving to keep pace with them. PCs and servers were known technology, and even the arrival of the cloud and the consolidation of those servers in public, shared data centers wasn’t going to make a huge difference.
Then along came the IoT. All sorts of new devices are being hooked up to the Internet, to gain the benefits of control and connection. CCTV cameras, video recorders, games consoles, and all sorts of industrial devices have been given access to web services, and are being managed and controlled remotely.
Some voices warned about this. “You can’t lock a door and leave a window open, and you can’t lock the window but leave the garage open,” said Brian Witten, director of IoT at security firm Symantec back in 2015. “Sometimes attackers come in over the bridge from traditional IT systems into “operational” technology (OT) or IoT systems. Sometimes they dial up cellular modems on these IoT devices, and other times they attack them directly over the Internet.”
Within the data center industry, there’s a worrying tendency for industrial control systems (ICS) and mechanical system to contain unconsidered Internet connections, perhaps via Wi-Fi or embedded cellular systems for monitoring.
In 2015, there were 295 incidents of cyber attacks through ICS systems, according to the ICS CERT organization, but Ed Ansett of i3 Solutions warns that these are under-reported, leaving the public and the industry unaware of what it should be doing (see box).
But the biggest threat from the IoT could come from outside the data center, completely oustide the industry’s control. Hundreds of millions of devices are being added to the Internet, including cameras, fitness devices and the proverbial toasters, with scant consideration for security.
Sometimes attackers come in from traditional IT systems to OT or IoT systems. Sometimes they dial up cellular modems, and other times they attack them directly over the Internet.
Brian Witten, Symantec
These devices are out there with factory-set passwords, or no passwords at all, containing processors capable of running malware. It only takes a virus written to hit these devices, and they can be turned into an army of “bots,” ready to launch a distributed denial of service (DDoS) attack on the Internet’s key infrastructure.
And this is what happened in October. Malware called Mirai infected millions of IP cameras and video devices manufactured by China’s Hangzhou Xiongmai Technology, which were then signalled to attack Dyn, a provider of the Internet’s domain name service (DNS).
Dyn failed under the onslaught of millions of spurious requests, and as a result, services including Amazon, Netflix and Spotify could not access DNS and failed.
The irony is huge. Consumer devices hit the world’s prime industrial network, the Internet, and the effect was felt through consumer services.
“In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters,” tweeted Jeff Jarmoc, a Salesforce security engineer.
Or, as Steven Vaugh-Nichols said at ZDnet: “It doesn’t take a nation to wreck the Internet. All it takes is the hundreds of millions of unsecured shoddy devices of the Internet of Things (IoT).”
Vulnerable by default
The dangers on these systems aren’t new. Their connections to the Internet have standard, factory-default passwords or, even worse, hard-coded Internet credentials. We know not to do this on our PCs and Wi-Fi routers, but for some reason other intelligent devices are being shipped with dumb security.
Security expert Brian Krebs spotted Mirai was involved. His site had been hit by an astonishing 620Gbps attack using Mirai-infected bots only a month before. He also pointed out that the Mirai source code has been put online. So essentially, anyone can mount such an attack.
Dealing with this is tricky, but there’s a serious complication. The devices that are used, and their owners are essentially bystanders, who are not directly hit by the malware, and are probably completely unaware of it.
Thanks to the publicity around the Dyn attack, Hangzhou Xiongmai has issued a product recall, along with instructions to secure your IP cameras.
But how many users will hear about these moves, and be sufficiently motivated to do anything? Hangzhou Xiongmai supplies technology that is used in products with other vendors’ badges - so how many people will even know they harbor a potential danger?
Some sort of body needs to enforce better security on IoT devices, through consumer regulations or other laws.
It is hard to see how this will happen but, until it does, the only thing for infrastructure players to do is to brace themselves for it, and build more DDoS defences.
This story originally appeared in the November issue of DatacenterDynamics magazine.