The Internet tools that slowed some of the world’s largest sites for hours on a recent Friday morning weren’t just server farms or hacked key fobs.
Baby monitors helped take down Twitter.
Security cameras helped halt Amazon.
This nightmare scenario became a reality on October 21 when hackers used the Internet of Things (IoT) in a distributed denial-of-service (DDoS) attack that brought down major sites from PayPal to Spotify. While the attack was described as an Internet security issue, that’s not the whole story. It is a supply chain issue. The attack also represents a Doomsday scenario that security and supply chain experts have been predicting for years. Their focus is not high-level international villains, but low-level embedded technology.
Early in the business day on that October Friday, major web sites started shuddering. The problems were quickly attributed to an attack on Dyn, a major Internet connection hub. Dyn monitors and routes Internet traffic. Their systems were overloaded with millions of access requests from IP addresses, so many that Dyn couldn’t handle the traffic in what’s known as a DDoS attack. Hackers had gained access to IP addresses that they then directed toward Dyn, through baby cameras and surveillance monitors — basically turning the Internet of Things against the Internet.
As Dyn’s leadership notes, businesses that had instituted network redundancy faired better against the attacks, as they could shift their access points to other services. That kind of spreading the wealth is actually encouraged by Dyn, as Dyn’s Chief Strategy Officer Kyle York notes in statements made after the attack. His firm supplies a service, and good supply chain practice for critical parts of a chain is to program redundancy so if one service falters, business can still continue.
“I don’t think you can ever be safe enough or redundant enough,” he says, in Supply Train 24/7.
But that’s not the only supply chain issue at play.
Hardware, Software, Oops
This kind of attack relies on gaining access to the hardware and the software behind it. Vulnerabilities can arise when parts or software handled by an outside supplier aren’t tested for quality assurance, functionality and security. There are hundreds of parts that are now built into cars, for example, that make them smart, but also make them vulnerable to attack and exploitation.
Scott Montgomery, vice president and chief technical strategist in Intel’s security division, notes that companies inherit every problem in their supply chain, according to The New Stack, which covered a panel in San Francisco where he spoke.
And the problem isn’t just a faulty piece of hardware.
“If you think just because your software is on a chip, that they can’t get it off of there, you are mistaken,” says Billy Rios, a security expert who has worked with the Department of Defense, speaking at the same panel. “If you think that someone will never be able to understand your custom vertical, you are mistaken. If you think no one will ever find that hidden account you have in there to do debugging or to access to certain features that you don’t want your customers to get access to, you are certainly mistaken.”
Some security experts have been warning that lax oversight for parts in things that connect to the Internet pose a serious security risk, some of them saying it’s only a matter of time until a major hack similar to the one seen in October.
“Information security people ‘have been screaming bloody murder about this for years’,” reports the San Francisco Chronicle.
Take this 2011 example, reported in 2014 by the Heritage think tank:
“In October 2011, two people were convicted of selling as many as 59,000 counterfeit circuits from China to the U.S. military, defense contractors, and others for use in U.S. warships, airplanes, missiles, and missile defense systems. Not only were these cheap fakes, but these chips potentially contained serious vulnerabilities that could have disabled, impaired, or stolen information from these important systems.”
For businesses in the IoT market, rushing Internet-accessible products to market sometimes trumps careful vetting of all components in the supply chain. As one expert notes in the Washington Post, this DNS attack should be a “wake up call” to suppliers who aren’t vigilant about the security of their components.
Because no matter their focus, everyone in the security community agrees that while the volume of things used in this recent attack is unusual, it’s not going to be the last.