Maybe a little good will come from the day the Internet died last week. And maybe, also, a little bad.
To very briefly recap, attackers using the now free and open source malware Marai attacked Dyn’s servers. Dyn provides DNS services to the likes of Twitter, Amazon and hundreds of other companies. The attack against Dyn didn’t directly affect those companies but stopped users from being able to get to those company’s servers – effectively producing a complete outage.
Akamai and Flashpoint have said that infected IoT devices were a large part of the attack – because people don’t patch their refrigerators and don’t change the refrigerator’s default password.
In this case, the Chinese company XiongMai Technologies or XM makes circuit boards for DVRs and IP cameras for lots of other companies. The default password, in some cases hard coded into the device and impossible for the user to change, is static and well known. Hence the attack.
XM released a statement which, in part, read “XM have to admit that our products also suffered from hacker’s break-in and illegal use”.
XM said it would be issuing a recall on millions of devices, but XM doesn’t know who owns the devices that their circuit boards were put into. In fact, in many cases, the company that sold the finished product has no clue who owns those products.
The result of this is that most of these products will never be replaced or fixed.
XM did say that they have made two important changes late last year. One is to turn off the service, Telnet, that this particular malware used to attack the devices and the other is to make the users change the default password when they initially power up the devices.
99+% of the users who buy these devices have no clue what Telnet is, no clue of how to figure out whether it is on or off for a particular device and no clue of how to fix it -if that is even possible. Nor do they know how to patch their DVR or cameras.
Which means that this problem isn’t going away any time soon.
Also remember that this attack used these devices and this technique. Since there are billions of IoT devices, next month it will be a different device and a different technique. This is kind of like a game of whack-a-mole.
In the meantime, the Chinese Ministry of Justice threatened journalists who reported on the story for issuing “false statements”.
Google translate, which apparently doesn’t deal with grammar well, reported their statement, in part, as “Organizations or individuals false statements, defame our goodwill behavior … through legal channels to pursue full legal responsibility for all violations of people, to pursue our legal rights are reserved.”
The good news, besides getting attention for the problem and getting at least one company to do a recall and issue patches, is that this apparently scared the poop out of the Department of Homeland Security. While last week’s attack was on Twitter (and others), the next attack could be against the power grid, the DoD or maybe even something important.
The Department of Homeland Security has issued some contracts in the past year to companies working to thwart DDoS attacks and this event is likely to spur more contracts.
What we need to do is find a way to identify these tens of millions of infected systems and get them cleaned up or turned off. THAT is not a simple task.
Then we need to get vendors to stop implementing the least possible security. If product liability laws were extended to cover these types of events, or if the Consumer Product Safety Commission could issue mandatory recalls in cases like this, the cost of poor security would move back to the vendors, motivating them to do better. Unfortunately, I don’t think either of these will happen any time soon.
Information for this post came from Krebs on Security.