Poor security: baby phones successfully attacking core internet infrastructure

On Friday, October 21, 2016, Major internet sites such as Amazon, Netflix, Spotify, and Airbnb were no longer available in the United States. One of the most serious downtimes of internet services ever was caused by a denial-of-service attack on the US provider Dyn. Dyn is providing traffic management services for internet providers. Dyn helps them to optimize and steer internet traffic. Therefore, Dyn services are regularly involved in the operations of major internet sites. The DDoS attack on Dyn was performed by a botnet consisting of devices infected with the “Mirai” malware. Unless the most know botnet malwares, Mirai’s bots are not computers, but so-called “internet of things” (IoT) devices. For instance, Mirai infects CCTV cameras, baby phones, satellite antenna receivers, network hard drives, routers, and wifi range extenders. All these devices are internet-connected devices controlled by a linux operating system, and: with very poor security. The attack vector for Mirai to enter a device is an administrator password, which is still set to factory default, such as “admin” password for “admin” user on a widespread Chinese-manufactured CCTV camera. Mirai is scanning the internet for such devices and trying to infect them. The first DDoS attack from Mirai botnet was seen in August, the best-known attack yet was taking place in September, when Mirai DDoS attack hitted the “krebs-on-security” website. This attack, analysed and described in an Akamai security report (https://blogs.akamai.com/2016/10/when-things-attack.html), reached a total traffic of 620 Gbps, more than any DDoS shield can stand. The Friday attacks on Dyn are said to be much more powerful, with DDoS traffic of more than 1 Tbps. Speculations about the origin of the Mirai malware and the identity of the attackers are circulating. As often, there is no clear evidence. Mirai source code was published in September by a hacker named “Anna-sempai”. Since then, Mirai attacks are spreading. Bruce Schneier, one of the best-know security experts, regards the Mirai attacks as a probing, forcing the victims to “show their defense capabilities”, mainly to prepare for future, more serious attacks.

What is remarkable about the Mirai attacks is that it shows two strategic weaknesses in today’s internet security architecture:

(1) Poor IoT security: Whilst baseline computer security has been raised over the years, with anti-virus products, firewalls, and periodic patches of standard software, IoT devices are missing any baseline protection. There characteristics are a poor security architecture, the use of standard passwords, and the absentee of a patching strategy. As 6 billion IoT devices are connected to the internet right now – a number growing to 20 billion devices by 2020 – this poses a huge threat to the internet. Because manufacturers fail so far, regulators are starting to address this issue: EU digital commissioner Oettinger has announced to present a draft on IoT cybersecurity regulation in November, aiming to introduce a mandatory security labeling for IoT devices. (https://www.euractiv.com/section/innovation-industry/news/commission-plans-cybersecurity-rules-for-internet-connected-machines/)

(2) No transparency about the basic internet infrastructures: The consequences of the Dyn attack shows the crucial role, this provider plays for the functioning of the internet. However, Dyn is only one of many. There is still no transparency, no common understanding about the basic internet infrastructures – and how the world depends on it. The protection of the critical infrastructures, including the internet itself, against cyber attacks is still fragile. The debate over the “public core of the internet” (and its protection) has to be pushed, leading to international cooperation in the protection of core infrastructure components and services (see the very fruitful contribution by the Netherlands Scientific Council for Government Policy, http://www.wrr.nl/en/publications/publication/article/de-publieke-kern-van-het-internet-1/).