Is Distributed Denial of Service The New False Alarm?
If you read the kind of stuff that I do, you cannot help but be amazed at the explosive growth of the Internet of Things, IoT for short. With the costs of Wi-Fi interfaces dropping into the range of $1 per device in large volume, more and more “things” are getting connected to LAN networks and the Internet. These “things” can be smart thermostats, video streaming sticks, gaming consoles, and some of our industry’s electronic security-related devices such as IP cameras, door locks, and video encoders.
While some estimates are largely guesses, it seems likely that within a few years there will be trillions of IoT devices installed in homes, businesses, industrial, and institutional buildings. I have read reports that say that the average home with two teenagers under roof will have 20-plus Internet-connected devices by the year 2020. It appears that nothing will stop the surging wave of IoT devices coming in the future.
I think it’s important that we understand exactly what technologies or lack thereof are included in a typical IoT device. Every IoT component is a “computer” with wired LAN and/or Wi-Fi connectivity, and these devices are usually powered “on” 24/7/365 with no capability to turn them off short of killing their power source. Also, there usually is no convenient way to update the software or to provide any type of firewall functionality in the IoT devices themselves. These units are wholly dependent on the knowledge of the installer when programmed, and they rely on the LAN network’s protective firewall(s) to stop intrusion from the Internet.
Simple scanning software, such as the free Zenmap, can scan thousands of public IP addresses and search out specific brands of IoT devices. This search method is based on looking at the Media Access Control (MAC) addresses of devices on the Internet, which are burned in at the factory. Of the six two-character sections in a MAC address the first three are a vendor code, so for example if I run Zenmap on my network it will identify the Honeywell, Vivotek, and Axis cameras on my LAN because it identifies their MAC addresses.
Once IoT devices have been detected, one primary problem is that intruders can often gain access to these devices by using the default user/password that was installed at the factory. This situation would be simple to avoid if DIY home-owners, as well as our industry personnel, change all factory-default user settings every time. However, ignorance and haste on the part of the building owner or system installer can leave the devices potentially open to intrusion and manipulation.
The primary problem that compromised IoT devices can create is the Distributed Denial of Service (DDOS) attack. Let’s say I’m selling Cubs jerseys on my website for $29, and you are selling the same shirt on your website for $19. As the World Series approaches, as a “bad actor” I want to shut down your website. I would reach into the dark corners of the Internet to find a “bot master” who will do my bidding for a price. I engage his services to bombard your website, effectively shutting you down while I continue to sell my shirts.
The “bot master” has remote control capabilities over hundreds or possibly thousands of compromised PCs and IoT devices (robots or “bots”) that can be directed to attack specific IP addresses on the Internet. A DDOS attack is no different than a massive traffic jam. Let’s pretend that every person with a car in Atlanta decides that they need to go to the Varsity restaurant (get the chili dogs) located near Georgia Tech right now. As you can imagine, the traffic jam would be colossal and the business at the Varsity would slow to a crawl as their personnel try to service the millions of customers trying to jam into their building.
A recent DDOS attack on the Akamai website (they sell DDOS protection technology as well as other high-end network services) was apparently launched from tens of thousands of IP cameras from a single manufacturer that were hacked and turned into controllable “bot” devices. At one point it was estimated that over 750 Gigabits per second of data packets from over a million separate devices were being launched at the Akamai Web address.
The camera manufacturer issued a strong, but simple statement. Their findings were that first, the cameras involved used firmware dating from before January 2015. The second issue was (surprise) that many of the compromised cameras still had the default user/password combinations in place. The third issue was that the rogue devices were “exposed to the Internet without the protection of an effective network firewall.”
The real problem is that a device can be hacked and turned into a controllable bot without any indication that can be discerned by the end user. The camera works the same, but it’s been taken over. The thermostat keeps turning on the heat, but it is also bombarding some website with garbage packets simultaneously.
Sophisticated enterprise-level networks are often equipped with robust firewall technology that can not only stop intruders from the Internet but also monitor any unwanted data packets that are being transmitted out from the LAN. But most homes, small businesses, and simple LANs have firewall functions that only face “out” to the Internet, blocking unwanted intrusion but not monitoring what is being sent out of the network to the Internet.
Now is the time for electronic security and low-voltage installation companies to take network security seriously. That means always changing passwords from the defaults, making sure devices have the latest firmware, and verifying that users have adequate firewall protection.
I also suspect that many installation companies use the exact same administrative passwords on all of their IP devices installed in their clients’ locations. This is a bad practice as it would be a simple matter for a technician to leave one company and go to another while retaining the ability to disable or otherwise mess with IP devices installed by his or her previous employer. Different clients should equal different passwords.
We don’t want to be blamed for the coming wave of DDOS attacks launched from IoT devices like we were blamed for the false alarm problem, most of which were/are generated by misuse of systems by end users.