The Army of Things in an IoT World

The Internet of Things is here..

By now, you’re probably well aware of the fate recently befallen on the Brian Krebs site KrebsOnSecurity.com. A Distributed Denial of Service (DDoS) attack in excess of 620/Gbps caused such a strain on one of the world’s largest DDoS protection services, that Krebs asked that his site fundamentally be black-holed until the storm passed.

What you may not have heard of is yet another attack a few days later on OVH hosting, which demonstrated a similar type of attack that reached almost 1/Tbps – almost a 50% increase over that which took the Krebs site offline. OVH also reported that over 145,000 devices were involved in the attack.

What do these two attacks have in common? Yep – you guessed it – your refrigerator. No, wait, your television. Oh, I’m sorry, I meant your thermostat. My mistake, it was your pacemaker – oh, and don’t worry, you weren’t having palpitations the other night, it was your heart launching a DDoS.

Ok, so perhaps a bit tongue-in-cheek, but the reality is, there are millions of devices on the Internet these days, the so-called Internet Of Things (IoT). While I don’t argue that it’s wonderfully beneficial to have my fridge continually remind me about picking up eggs, I have to admit, even as a self-proclaimed geek, I have never patched my fridge’s operating system.

(I’ll pause here momentarily to await the punishment of the InfoSec Gods)

IoT all around us

In all seriousness, as I sit here at zero-dark-thirty, with nothing but the rainbow colored LED’s of the multitude of electronics lighting the room, I have literally counted dozens of internet-connected devices that are in no doubt in need of a firmware upgrade.

Yes. Dozens – and that’s just in the ‘typical household appliances’ category such as WiFi routers, TV’s, DVD/BR players, DVR’s, surround sound systems,security systems, and gaming consoles.

So, if a guy who eats, sleeps, and breathes InfoSec can’t keep up with keeping his home devices patched, how the hell do we expect the average consumer, who can barely keep their actual computer’s OS up to date, manage to?
I can see the dialogue now:

Husband: Honey, I need to push a firmware update to the fridge
Wife: Wait – didn’t we have to buy a new one the last time you did that?
Husband: Yeah – but I’m sure I got the right version this time. I just assumed we were running a 64-bit OS before. I won’t make that mistake again..
Wife: You know what happens when you… Assume.
Husband: …..

While the DDoS attack that impacted OVH was mainly cameras and DVRs just hung out on the net, it truly makes you wonder about the design considerations of *any* internet-connected tchotchke that could possibly be weaponized for further attacks. Who – and as importantly, how – are we going to patch the millions of devices already on the Internet and keep up with the thousands that come online every day?

We are already so far behind the curve it may just be impossible to ever catch up. Perhaps the Army of Things is not just already deployed, but fully weaponized and ready for battle.

The Army Of Things

Consider this in the parlance of the real-world military. In the Army, a Lieutenant General oversees about 75,000 troops whereas a General has about 150,000-200,000 troops under their command. OVH is claiming that they could identify in excess of 145,000 devices – aka troops – attacking them at one point. Based on troop numbers alone, that puts the attackers on par with some of our best Generals

The reality is that most botnets are substantially larger. For example, the Necurs botnet alone is estimated to have about 1.7 million devices under its control, compared to the entirety of the US Military’s 1.3 million troops (DoD Budget proposal, Feb/2016).

How’s that for perspective?

So, besides the obvious DDoS threat we’re all facing, how does this relate to the average enterprise CISO? It’s actually quite simple – it’s all about the design.

If you think about it, none of these devices were designed to be patched by the average consumer. The design was hyper-focused around functionally and speed-to-market, with no thought put into the operational impact it would have. We’ve recently seen malware specifically targeting Java-based televisions, but yet, how is the consumer to know that the fancy ultra high def 4K resolution 65-inch screen sitting in their living room has been infected with a rootkit that allows an attacker to turn on the camera remotely? When the manufacturer was designing this, did anyone stop and say “Hey – we should automate patching so the consumer doesn’t need to worry?” I’m betting the answer is no.

But yet, time after time, breaches are a direct result of design issues and far less about the uber hacking skills of an attacker. Make no mistake about it; while we certainly face our fair share of creative and skilled attacks, it’s the SQL injection attack, or the mismanagement of sessions, or the lack of multi-tier defenses that makes a great breach. All of which are design considerations.

While I’m not sure of how we will ever fix the Army of Things problem, besides perhaps, developing some proactive, polymorphic shellcode, we certainly should learn from the disastrous situation we now have on our hands. How do you handle the design decisions in your enterprise? Are you involved from the budget cycle onward? How about from project kickoff? Does your team participate in any application development sessions? Do they meet with the intended user? Have you considered the long-term operational impact of the decisions you’re making? How difficult is it to patch?

Obviously, many more questions can be asked, but hopefully these few items will help you get in front of your application and infrastructure teams and avoid any disastrous design decisions.

Originally posted on SecurityCurrent.com.