Originally, this story was focused on the DDoS attack on the KrebsOnSecurity site. While the bulk of this story is still focused on that specific attack, it has already been overshadowed by the massive attack that took down major service sites like Netflix and Twitter through an attack on DNS provider Dyn. The most recent attack may have drawn more attention to the threat but an analysis of the Krebs attack provides a clearer view of the details if only because effort was taken to identify the specific nodes that were launching the assault. One thing that both attacks have in common is that they were the result of exploitation of unaddressed, easy-to-fix weaknesses in both process and product. 

Prior to the Dyn assault, the security news site KrebsOnSecurity got hit with the most massive DDOS on record (620 Gbps). What is noteworthy isn’t the size of the attack but the fact that it was made possible by infected IoT devices. Krebs performed its own investigation and created a list of the sources of the attack (see below) to make their case. The results of the review found that the majority of the more than 145,000 compromised devices were security cameras. Said another way, devices used to increase security at one company were actually being used as weapons to erode or destroy the security at another company. Ouch.

It’s tempting to dismiss these details as being the result of low quality, “foreign” products and therefore not a serious concern but that would be a mistake. Again, we turn to the data from the attack for some clarity. What we find is that the list of compromised cameras includes some very reputable and/or large scale players. Axis, Dahua, HiSilicon, Mobotix, Samsung and Toshiba are among those vendors connected to the attack.

So, should we vilify them for their involvement? Unfortunately, many products ship with a default set of credentials and/or don’t enforce a strong password with the idea of making things easier for the user and the company when it comes to getting the device setup. This convenience is exactly what is being exploited for the botnet attacks in general and the Krebs attack specifically. Attackers execute scripts that make use of the publically accessible default credentials from the various manufacturers as well as brute force (aka- guessing a weak password) to automatically compromise the cameras in question. The compromised devices won’t exhibit any obvious changes whether during infection or while participating in a botnet assault so there is almost no way of discovering that your cameras are zombies waiting to attack on command.

The point isn’t to shame the companies whose products were used in the assault but to highlight both how important the security of any IoT device is and how a decision to make the security setup and configuration experience easier for a customer can have very dire long range impact on the customer, the victim and the business of the camera vendor.

No company wants to have their long term survival threatened by a well-intentioned “optimization” of the customer experience and they don’t have to. Some companies are already addressing this challenge by producing unique, “strong” default passwords from the factory (per device) while others are simply requiring the user to create a strong password as part of the first time setup. For the most recent attack, the recommendation has always been to have redundancy in DNS service but that advice does not appear to have been followed. Said another way, simply following best practices for security could have prevented or significantly reduced the significance of the onslaughts. Putting some hurdles in front of a user as part of the initial security setup may make your marketing manager cringe but it will help you avoid total catastrophe by keeping your devices (and your company’s reputation) off the “weaponized” list.