DDoS:  The IoT clone army has turned on us

lego Star Wars.7910348016_93d36ca827_b


Presented by Kentik.


All good Star Wars fans will know that the Galactic Republic’s clone army was the ultimate, distributed, trojan horse.   Posed as the necessary military answer to the threat coming from the trade federation and the separatists (both either under the control of or secretly allied with the Sith), they were deployed by the hundreds of millions.  Then, upon a signal from the Sith Lord, they turned against the Jedi and slaughtered them, leaving nothing standing in the way of the takeover of the Republic and the establishment of the Galactic Empire.

Practically designed to be exploited

We are experiencing our own clone army turning against us — from the devices that are supposed to usher in a new era of convenience at home, to the routers that act as border guard to home networks.

Neglectful IoT manufacturers have shipped huge armies — hundreds of millions of devices across the digital galaxy — where they stand sentinel as internet-connected surveillance cams for our homes and businesses, monitor our children, keep track of our grocery and detergent levels, manage lighting and power, and perform endless other tasks.  But these apparently helpful devices come with dark secrets.

Out of convenience, manufacturers have shipped them configured with default usernames and passwords and open doors to remote internet communications.  In some cases, the default credentials can’t even be changed — they are hard-coded.

Laughably simple to compromise and placed in the hands of totally unsuspecting citizens, they are tailor-made to be turned into evil botnets by malware like Mirai, bashlite and others.  These forms of malware use a “dictionary” of usernames and passwords with which to login to devices.  If you were to read these dictionaries, you would have to either laugh or weep with instant recognition.

Internet infrastructure’s part in the melodrama

The operation of the IoT botnet herding malware is aided by another form of internet neglect. Many internet infrastructure providers don’t perform basic checks to ensure that communications aren’t being carried out across their networks using faked internet addresses.  This Jar Jar-level lack of scrutiny makes it easy for criminals to operate botnet herding and other cyber exploits undercover with near impunity.  I wrote about this in more detail in a separate VB article — the Great Network Forgery.

We’re all in the cross-hairs now

The turning of the clone army has been dramatic in its severity.  Suddenly, hundreds of thousands to millions of devices are turning their guns on various parts of the internet.  Within October, we saw multiple Terabit-level attacks that made Akamai abandon its pro-bono security coverage of security expert Brian Krebs (Google picked up the slack though), slammed French provider OVH, and then most recently, hammered the DNS services offered by Dyn and brought down availability to Amazon, Netflix, Paypal and other household names.

In the case of Dyn, the size of attack exposed a vulnerability that even many of the largest web companies have.  Namely, it is difficult to have more than one provider of critical internet services like DNS — which is what maps between human readable web names like “amazon.com” and machine-readable numerical internet addresses.  It’s quite likely that many of these large web providers are now investigating how to engineer these failover DNS capabilities.

The Dark Side has some momentum

Where does this clone war narrative take us?  Well, first of all it is certain that these kinds of attacks will happen again.  Criminals and even nation states are probing the internet’s weak points and they are legion.

Critical infrastructure services like DNS are clearly a major vulnerability, but payment processors, and many other components that make the economics of the internet work are also quite vulnerable to direct attack.  Go a little further afield and while energy and utilities have received needed attention to hardening their systems. many other “real world” systems are prime for disruption, including agriculture, transportation, etc.

Rewriting the script

What can be done to turn the tide, before we all get caught in a poorly acted and horribly scripted galactic melodrama of collapse and darkness (dumb politicians writing totally worthless regulation)?  Industry needs to take action.  Establishing a highly visible label of assurance for cyber security of IoT devices, the likes of Underwriters Laboratory or Consumer Reports, would help force manufacturers to clean up their code for competitive market purposes.

Perhaps a similar label for hygienic practices like BCP-38 in internet infrastructure providers would make it easy for enterprises to require that in their RFPs for connectivity services.  Whatever it means, the internet and IoT industry needs to take ownership of the problem, before the digital economy gets owned by botnets — and before government acts in their stead, potentially with well-intentioned but ill-advised legislation that hurts innovation, or even further damages security, of the internet.


Sponsored posts are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. Content produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact sales@venturebeat.com.

Security – VentureBeat