About Me

My Photo

Geek by profession, thinker/writer/artist by passion. Part-time blogger,social media enthusiast and a tramp by nature :) A Man Of Mud


Wednesday, October 26, 2016

Cyber Warfare And The Internet Of Things

Internet outage in the US and parts of Western Europe on Friday, after waves of cyberattacks on a major DNS host Dyn may not have made much news in India and other parts of the world but it is unlikely to be an one off incidence and something that if repeated is unlikely to affect the Internet users in the US only. The attack made some of the widely used web services and websites such as Twitter, Spotify, PayPal,Reddit,Github,CNN, WSJ and many other service inaccessible. Distributed Denial of Service (DDoS) attacks have been launched against websites since the time hackerdom came into existence but lately they have been becoming increasingly effective/disruptive with the use of botnets. However, what is really alarming is the fact this attack was carried out using botnet of not zombie computers but Internet connected devices including routers,webcams,DVS and commodities collectively called Internet of Things (IoT). 

Areas affect during DDoS attack against Dyn  (Courtesy : Wikipedia)
 DDoS attacks are quite simple in essence and require the attackers to send junk requests to the servers in such a large magnitude that the servers are overwhelmed with the incoming traffic. Botnets or network of computers infected with malware to serve as zombie computers sending requests to particular IP address on receiving command have been used by hacker groups before. The hacker collective Anonymous has successfully targeted websites such as PayPal but as a means of protest and by publicly claiming it. However, this latest attack seems to much different as it attacked a high value DNS host (DNS servers translate user friendly domain names such as Twitter.com and direct traffic to corresponding IP address and forward requests) , so when this particular service was disrupted a whole group popular services were made inaccessible to a large number of users.

Clearly, this was an attempt to arbitrarily shut down part of the Internet rather than a political protest as seen before. After US accusations against Russia of carrying out cyberattacks on political organisations during the ongoing Presidential election campaign , it is not surprising to find many Americans speculating Russian involvement in it. It is unclear to me what exactly Russia can gain by causing outages in large parts of the USA for a day, surely if nation-states like Russia, US and China preparing for cyber warfare do decide to carry out attacks, they would seek to extract much heavier costs than a single day's outage. Yet, cyber criminal groups hired to probe the vulnerability of US' core Internet infrastructure sounds very feasible,the complexity in the operation suggest some level of cooperation. Officially the US has, as of yet, not blamed any country for the attacks and has instead pointed fingers at cyber criminals using a botnet of IoT to carry out the attacks which makes the future of cyber security look bleak. 

Ironically, this attack comes very close on the heels of numerous warnings being raised by cyber security experts of an attack on these lines being more than probable. Just a month back a malware named Mirai had been dumped in public domain which could help hackers scan and hijack IoT devices and turn them into a botnet. The firepower of this botnet is so powerful that in earlier attacks the servers had been hit with traffic on the scale of 600gbps to 800gbps. Critical services providers may scale up their security measures but this new trend in DDoS attacks may make things unpredictable . Of course government agencies (all "responsible" governments) and critical Internet infrastructure hubs would scale up security measures but can they guarantee that no such outages occur in future, when the production of smart devices is growing at an exponential pace.

It is estimated that by 2020 there would be 50 billion connected products. It seems rather unlikely if security of connected products are sufficiently secure,since upgrades and security patches are not always accessible to consumers, more so if the devices are old even if very much active. Further, the commodity manufacturing industries as a rule prioritise rapid development of products so they can be released in the market before their competitors do. It follows that security testing of these "smart commodities" has to be lower on the priority list if they are to meet the deadline. Most consumers on their part remain oblivious to this security threat even when their devices are already hacked. 

Further with developing countries like China which are dumping low cost smart devices in large quantities there is little scope to know how secure the products are. During the cyberattacks on Friday many of the targeted devices included webcam and digital recorders manufactured by Chinese firm Xiongmai which has since recalled some of its products from US market. With such vulnerable smart devices being sold and source code of malware like Mirai available on web it shouldn't be very difficult for hacker groups to replicate the attack on other countries. But what should concern us more is if instead of DDoS attacks state-backed hackers go after the actual IoT devices and to inflict physical damage on users. From smart grids to smart cars to even connected pacemakers, security analysts have already demonstrated how vulnerable they are to dedicated groups of hackers. Here I must say by hackers I mean not only rogues but also cyber criminals working for nation-states or even part of a military establishment's cyber warfare cell. 

That cyber warfare between countries is real has already been established, perhaps the first such demonstration was made by US-Israel's cyber weapon Stuxnet targeted against Iranian nuclear facilities nearly destroying a fifth of the latter's centrifuges and inflicted considerable setback to Iranian nuclear program. Russia's cyberattacks against Estonia and then Georgia during South Ossetia War indicated the country's preparedness for cyber warfare. China has often been accused of carrying out cyber espionage and even North Korea and Iran have been active in cyber warfare frontier. With so many powerful nations showing willingness to indulge in this new form of warfare that does not involve confrontation between armed forces but civilian infrastructure and civilians, it would be prudent to develop a mechanism of mutual restraint on the lines of conventional treaties but given the nature of this medium and current mutual mistrusts such a proposal at best be a pipe dream.

However, with this new trend of IoT botnet being used to carry out DDoS attack perhaps it is time to rectify platform fragmentation and get on board all stakeholders,especially manufacturers to follow a single set of security standards that also requires rigorous testing and auditing to minimise security vulnerabilities. Ambitious initiatives such as smart grids,smart home,smart cities have the potential of improving the quality of life of average citizen considerably but like all technological advancement they also are fraught with risks. Ironically the Internet evolved from what was initially a US military project and went on to democratise information and knowledge and eventually empowerment of individual. The Internet of Things is set to take this progression to an entirely new level. It would be a shame and a huge travesty if companies blinded by commercial interests inadvertently turn it to war machine.