On Friday morning (21 October 2016), there was a massive DDoS (distributed denial of service) attack on a DNS (Domain Name System) provider, which caused many websites to become unreachable. The cyberattack has been labeled an IoT-based attack. I thought I would elaborate on it and share some thoughts on what manufacturers and we, as consumers, need to do to prevent similar attacks from occurring in the future.
Paying Attention to Passwords
One of my favorite TV shows is “Person of Interest.” I love watching the character Harold run a complex algorithm to crack some incredibly hard password. Reality, however, tends to be a little more boring. And our everyday passwords, unfortunately, wouldn’t keep Harold busy for more than a few seconds.
Friday morning, tens of millions of malware-infected devices flooded the DNS provider Dyn, making it very hard for legal requests to propagate through the system. The infected devices were mostly video cameras and routers in people’s homes, connected to the IoT, and set up using default usernames and passwords or the global keys that the systems ship with. The attack was able to exploit these devices by guessing at these obvious or weak credentials.
The vulnerabilities caused by weak passwords have been well known in the industry for years. Manufacturers of IoT devices need to be aware that a system is only as secure as its weakest link. When it comes to high tech, it is the intersection of humans and the technology where these vulnerabilities are most likely to appear.
We humans tend to be lazy. The vast majority of us don’t change the default username and password on our wireless router, or the password of our Wi-Fi network. We use the browser to remember the passwords for the various sites we visit.
Manufacturers and Consumers Must Take Responsibility
Manufacturers must recognize this human trait and design systems with our basic laziness in mind. It’s challenging to balance security with ease of use, especially during initial set-up—because we as consumers also want immediate gratification and things to “just work.” But manufacturers can't just punt the problem to the consumer. They need to make it easy for consumers to practice good basic security hygiene and ensure that security measures are part of their IoT platform technology.
As consumers, we need to be more aware of security and do our share to reduce the footprint of potential exploits. The Friday attack was an example where the consumer assets were not the target of the attack. Instead, the consumer devices were used as soldiers to attack a third party.
What Can We Do?
Because I expect this trend to continue, it’s important that we educate ourselves in the basic elements of what it means to be good Internet security citizens and take the time to implement basic security principles. Let’s all agree to:
- Secure all our computing devices, from our laptops to our wireless routers to our various IoT devices.
- Not use the same password on all our accounts.
- Use two-factor authentication when available.
Following these practices is good for us as individuals, and it is good for society. Let’s make sure that future attacks are not based on simple vectors such as default username and passwords. Make potential attackers work really hard. Let’s force them to operate at a level closer to my friend Harold.