If you wanted to make a movie about the Mirai botnet attacks of October 2016, you might call it “When Things Attack” or, maybe, “Revenge of the Webcams.” It’s amusing, in hindsight, to imagine the spectacle of hundreds of thousands of compromised webcams marching together in a massive, online army.
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
But for the organizations on the receiving end of the massive distributed denial of service (DDoS) attacks launched by those cameras, digital video recorders (DVRs) and other connected devices, the experience was anything but amusing. Dyn, the New Hampshire based managed DNS provider, was one target of the botnet and saw its service interrupted for hours, making it difficult for Internet users to reach a wide range of critical web services like Paypal and Amazon.com. When the dust cleared, DYN saw around 14,500 web domains— 8% of those that used its DNS service— stop using its service, according to data compiled by the firm BitSight. That is likely to be a serious hit to any company’s bottom line.
Mirai wasn’t the first such botnet-of-things, and it won’t be the last. In fact, recent weeks have seen successors to Mirai, including Persirai, a collection of more than 120,000 hacked and malware infected cameras that appear to be controlled from servers in Iran. These are just prominent examples of what has now become commonplace: malicious networks of connected devices.
Why is this happening now? If we take a step back and consider the problem, it is easy to see that the ‘botnet of things’ phenomenon is a big problem with many causes. Focused on the bottom line, too many device makers have emphasized ease of use and ease of deployment over security. They have shipped products with default usernames and passwords that they do not force customers to change and with weak or non-existent protections for data sent to and from devices. Customers lack technology and security know-how and have not been educated about how to deploy devices in a secure manner.
Floating above all those concerns is a larger issue: the Internet of Things (IoT) has an identity problem, namely: a lack of authentication and encryption solutions that can scale to meet the unique demands of IoT deployments. Strong identity in the form of validly issued Public Key Infrastructure (PKI) certificates are the bedrock of online identity and security. They are used today for everything from securing user access to devices and stored data, to device communications, secure boot and software updates (patching). The Internet of Things demands far more of them to secure far, far more devices and data: from tire pressure sensors on connected cars to ambient temperature sensors in a “smart” building and biometric data collected from an implanted medical device.
In the absence of strong authentication and encryption, and methods to provide data and system integrity, any one of these “connected” features can become a vulnerability and point for compromise, subverting the work and purpose of the device or providing a toehold or pivot point for unauthorized access to a sensitive network. Without strong encryption to protect communications to and from smart endpoints, connected devices are vulnerable both to “brute force” password guessing and snooping on sensitive communications via “man in the middle” attacks.
There is plenty of evidence that this is a clear and present danger. A recent study published by HP, for example, estimated that almost three-quarters of connected devices fail to encrypt communications to and from the Internet or local networks. A lack of cryptographically signed firmware leaves devices vulnerable to software-based takeovers.
Insecure devices aren’t a question of one or two wayward manufacturers, either. Shared supply chains spread and amplify the risks posed by unsecured software across many different products and brands. For example, a remotely exploitable vulnerability in firmware for digital video recorders was found to affect some 70-different closed circuit TV (CCTV) vendors in 2016. We recently learned that a London City airport plans to replace a physical air traffic control tower with a network of connected video cameras, which could present new security risks. The Perisai and Mirai botnets share vulnerable firmware that runs on more than 1,000 models of IP cameras and recorders marketed by scores of different vendors.
How did we get here? Well, for one thing: IoT deployments present unique challenges to existing PKI systems and deployments. IoT devices, often small and resource-constrained, lack the compute power to support strong encryption functions locally or the storage and bandwidth needed to securely generate and store encryption keys. The massive scale of the IoT also complicates traditional PKI deployments. With estimates of anywhere from 25 billion to 200 billion connected devices expected by the end of the decade, requests for certificate issuance, revocation and replacement will overwhelm time-consuming manual certificate management processes that are still the norm at many firms.
Scale is just one issue. Even if the growth of the Internet of Things was slower and more manageable, the workflows that characterize critical functions like certificate issuance and revocation would still be poorly suited to the kind of agile, “dev-ops” environments in which new, connected products are being developed and deployed, experts say.
“Developers expect everything to be API and machine-oriented instead of human oriented,” Davi Ottenheimer, a lecturer in the Department of Computer Science at Fachhochschule St Pölten and co-author of the book Securing the Virtual Environment: How to Defend the Enterprise Against Attack told The Security Ledger. “They need it to be easily automated and self-maintaining and they also expect performance. They’re not going to wait around for any human response or scale,” he said. Alan Shimel, the Founder and Editor in Chief of the web site DevOps.com notes that security processes are still clunky. “It can be a pain in the butt for people who are trying to move at Internet speed,” he said.
The stakes couldn’t be higher. While compromised webcams in the Mirai botnet caused significant disruption to online businesses, the impact of the botnet’s massive DDoS attack was limited to just that: service outages. However, a growing population of life and safety critical systems sport IP addresses, from drug infusion pumps to smart city platforms to telematic systems that operate passenger vehicles and heavy equipment. The risk of true “cyber physical” attacks is both real and present, as evidenced by this May’s WannaCry outbreak that impacted 150 countries and limited healthcare availability in the UK.
“This is a totally new world in which everything, everywhere has to have some way to establish trust,” said Ottenheimer. “We need a system to verify integrity and identity that is also distributed everywhere.”
Fortunately, change is afoot. The tighter integration with operational groups (aka “DevOps”) has increased adoption of orchestration and automation tools that are transforming the process by which strong, cryptographic identities are assigned and managed. Rather than standing up their own CAs, many organizations that have aligned their development and operations teams find they can delegate trust to third-party orchestration software that automates once manual functions like certificate issuance and management.
Automation of certificate issuance and management within these orchestration layers makes the integration of PKI-based encryption to applications seamless, encourages proper and secure certificate issuance, but doesn’t require developers to be ‘PKI experts’. Such platforms also provide critical audit and check points along the way for security teams.
In the near term, look for the demand for encryption from an exploding population of connected devices to drive more widespread adoption of automated PKI certificate deployment and management.
There are risks, of course. Where certificate issuance has become more automated and developer-centric, as with services like The Linux Foundation’s LetsEncrypt, there have been challenges ensuring the legitimacy of certificate requests. Like any technology, encryption can be used for both good and bad, so certificate authorities will continue to have a critical role to play in vetting requests for PKI certificates. Collectively, the industry will need to find ways to balance the advantages of automated certificate issuance with the need to prevent cyber criminals and other bad actors from exploiting the trust and reputation of CAs for nefarious purposes.
The benefits of more agile PKI are hard to ignore. But adopting this type of capability isn’t exactly low hanging fruit for would-be adopters. Organizations need to commit to- and invest in technologies like enterprise orchestration and automation before they can think about automating their PKI. They need to steer clear of the temptation to “roll their own” certificate infrastructure, putting their faith instead with open standards and protocols like EST, SCEP and REST and partnering with a certificate authority that is capable of supporting those standards, as well. Finally, they need to invest in software and services that enable them to automate certificate issuance, management and revocation. Minus the underlying orchestration layers and mechanisms to automate certificate requests and management at scale, many firms are stuck doing PKI the old-fashioned way. As the population of IoT swells from billions to tens of billions and hundreds of billions of devices, such changes and adaptations are both necessary and unavoidable.
As scary as all of these changes may seem, the future that they will bring about is truly astonishing. I’ll see you on the other side!
Dan Timpson is the Chief Technology Officer at global connected security provider DigiCert. (*) Editor’s Note: DigiCert is a sponsor of The Security Ledger.