The Internet is just coming back to life after a massive DDoS attack against Internet Performance Management company DYN on Friday. The attack affected a number of high profile sites including Twitter, Reddit and Amazon as well as thousands of smaller sites that use DYN’s services. Details are still a bit sketchy but most are pointing at a Merai based botnet as the source of the attack. I’ve linked a few related articles below for those looking for additional information but, with this post, I just wanted to highlight the importance of securing the so-called Internet of Things (IoT) and the potentially devestating impact that an insecure IoT can have. Tech articles can get long and dry and folks can quickly click away. I’m hoping that by keeping this relatively short (there’s a good bit of info) and on point, it’ll encourage the reader to continue to the end.
Wikipedia has an excellent article on what the IoT is but the TL;DR version is this. All of the connected things that you have, thermostats, DVRs, NVRs, nanny cameras, referigators and more that connect to the Internet (so that you can view them, manage them, etc. over the Internet) make up the Internet of Things or IoT. These devices are generally pushed quickly to market with very little (if any) regard to security and have become ‘easy pickings’ for attackers. Attackers quickly picked up on this attack surface with tools like Shodan and the Exploits Database and were able to quickly find available devices, find vulnerabilities for those devices and filter the list of available devices by vulnerabilities to launch attacks. May of the vulnerabilities currently being exploited have already been patched and, some, for years (in some cases, manufactures have gone out of business or simply stopped supporting the equipment, so they will never be patched). If you have IoT devices, know what attack surface it provides for attackers and know what your options are to mitigate the risk so that you aren’t an unwitting pawn in the next massive attack.
This latest attack is an excellent example of just how devastating an army (or botnet) of compromised IoT devices can be in malicious hands. Additionally, this isn’t the first time that the IoT has been used as a weapon (recent attack against Krebs and OVH) and it certainly will not be the last. With the attack on Krebs and OVH, the target was very specific (the sites were taken offline). With the attack against DYN, the DYN servers were taken offline and, with them, thousands of others that relied on DYN. This type of attack could easily have been leveraged against critical infrastructure, hospitals / healthcare, emergency services or others.
A vulnerability assessment is an excellent way to identify vulnerabilities and give you a view of your organization from an attackers perspective. If you do not have the expertise in house to conduct a vulnerability assessment or would like to have an unbiased third party review assess your organization for vulnerabilities, please feel free to contact us.
Misc / Erratta
- DDoS – https://en.wikipedia.org/wiki/Denial-of-service_attack
- DYN – https://www.dynstatus.com
- Dyn Attack – https://krebsonsecurity.com/tag/mirai
- Dyn Attack – https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-reddit
- Dyn Attack – http://www.bankinfosecurity.com/mirai-botnet-pummels-internet-dns-in-unprecedented-attack-a-9477
- Dyn Attack – https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn
- Shodan IoT Cameras – https://www.shodan.io/search?query=avigilon
- Exploit DB – https://www.exploit-db.com
- Previous IoT Attacks – https://www.piratica.us/index.php/2016/10/10/massive-ddos-high-profile-websites-highlight-flaws-iot
- Vulnerabiltiy Assessment -vs- Penetration Test – https://www.piratica.us/index.php/2016/08/26/vulnerability-assessment-or-penetration-test-which-do-i-need-and-why/