Hello World: The DDOS Wake Up Call
The Developers at OP5 are important contributors to the education of our customers and those who are interested in using the most powerful IT monitoring solution in the industry. In this timely blog article, OP5’s Development Team Lead, Mikael Falkvidd, writes about the current and ongoing concern of all technology professionals, the DDOS attack, and how the aftermath brings pain to more that just the technical community.
As always, the OP5 team hopes that this article to prompt productive thought and conversations.
What is a DDOS Attack? Does it Hurt?
On Friday, October 21, 2016 a number of popular internet services like Twitter, Spotify, Redditand The New York Times became unreachable for many internet users. The reason was adistributed denial of service (DDOS) attack on Dyn, one of the world’s largest DNS providers.
DDOS attacks are not new, but there was one detail that caught the world’s attention: The attacks were performed by devices part of the Mirai botnet. Mirai specializes in finding and commandeering internet-connected devices by simply logging in using the default username and password. In a statement, IoT vendor Xiongmai whose products were taken over to participate in the DDOS attack, said “Mirai is a huge disaster for the Internet of Things”.
I disagree. This event was an important wake-up call for the IoT industry.
Vendors must build support for remote updates of devices, and make sure the devices are shipped with automatic updates turned on. Many IoT devices provide amazing functionality for a very low price. But the fast development pace and the low price means flaws will slip through. Since IoT devices are connected, they can be built to connect to an update server and automatically update themselves whenever an improved version of their firmware can be made available.
What About Secure Automatic Updates?
My computer tells me when it has an important security update. So does my phone. Most IoT devices don’t have the luxury of getting my attention that way. My kitchen light could start blinking red to get my attention, but that would be very annoying. And even if it did, where would I click to accept the update?
From what I see, secure automatic updates need to be included in all connected products, and they need to be turned on by default. With this in place, we can incrementally improve security. The default passwords can be removed and updated software can generate unique passwords in a secure manner. Without automatic updates the devices will be left open to attackers forever, forcing the vendor to issue a very expensive recall.
The technology for automatically updating IoT devices is already available. In an upcoming article in a Swedish computer print magazine, I describe how to enable automatic updates for Arduino-based IoT devices such as the popular ESP8266 chip. Similar solutions are available for other platforms. Companies have not had a strong enough incentive to prioritize putting this technology in their devices, but that time is past now.
We got the wake-up call we needed.