IoT, Botnets and DDOS: Avoid Becoming Part of the Problem
Recently, hackers successfully unleashed an absolutely massive Distributed Denial of Service (DDoS) attack that swiftly knocked some popular websites offline, including Twitter, Spotify, Amazon and even GitHub. DDoS attacks are of course nothing new, but the latest attack was unique. Primarily because of its scale, but also because it was carried out with a botnet utilizing Internet of Things (IoT) connected devices, as opposed to compromised computers.
For data to be worth securing, it must also be continuously available. Services that we all know and love, like Netflix, Twitter, and Google, are only useful to use if their functionality and content are actually viewable on our machines. Without availability, the confidentiality and integrity of the data we work so hard to protect becomes irrelevant. This concept is the basis for a Denial of Service (DoS) attack. The DoS attack skips the harder work of breaking the confidentiality and integrity of the data and prevents you (or your customers) from accessing the content by overwhelming the infrastructure that serves the content itself. Once the infrastructure breaks down, and the content becomes unavailable, our interconnected Internet services rapidly decline, content goes missing, and consumers are unable to access the services they desire.
The next time a DDoS attack occurs, your device might become part of the botnet. While the DNS DDoS that took place recently has been mostly resolved, and the impacted services restored, we aren’t out of the woods yet. This DDoS appears to be only the beginning in a long line of next-generation botnets that will steadily improve their abilities and effectiveness until vendors reform and stop using default passwords and poor protocols, like Telnet, in their implementations. It is very likely that we will see next-generation botnets spring up as newly created hybrids start to appear in the wild. The latest evolution of this DDoS botnet has seen 3500 hosts infected in 5 days: https://boingboing.net/2016/11/02/new-fast-spreading-iot-botnet.html And, we’re already starting to see the impact of this new botnet in the wild, being used to deny Internet access to an entire nation state: http://thehackernews.com/2016/11/ddos-attack-mirai-botnet.html
IoT. A Growing Problem That Can’t Be Ignored
When Dyn first detected the attack, they theorized that there were as many as 10 million discrete IP addresses involved in the latest DDOS attack. http://hub.dyn.com/static/hub.dyn.com/dyn-blog/dyn-statement-on-10-21-2016-ddos-attack.html Because of how hard it is to manage and patch smart home devices, they can be hacked in just a few minutes and may be weaponized in the future. Those devices include game consoles, smart power outlets, video conference systems, VoIP phones, printers, security systems, and climate control meters.
While the Internet of Things [IoT] devices make it possible for organizations to run faster and more efficiently, they are too often used with little regard to their security risk. The rush to deliver new types of IoT technologies sacrifices security most of the time. Many smart devices are manufactured with default passwords that are easy for hackers to obtain. Once a hacker discovers the weakness and gains access to the device, he or she can move around and do anything as the root user, such as planting a permanent backdoor. Hackers can then come back to the device whenever they want, often enslaving the device as part of a botnet and using it to overload a 3rd party website as part of a Distributed Denial of Service attack.
What Makes These Types Of Attacks Important
A Distributed Denial of Service (DDoS) attack occurs when a hacker seeks to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.
The culprit of this latest DDoS was a bot network controlled by the software called “Mirai” and consisted primarily of insecure video cameras, DVRs and other internet connected devices that were still configured with default usernames and passwords. Because of the rapid growth of IoT devices, they are generally not built with security in mind. The vendors are basically focused on keeping costs down and including a robust feature set. As a result, a good patching system falls by the wayside. To make matters worse, one vendor’s chipset can be included in a wide array of devices, making it difficult to determine if the device you have is vulnerable or not. A list of impacted devices that are vulnerable to this latest attack can be found here: https://www.scribd.com/document/328743810/Mirai-Devices#from_embed
Last week’s attack was directed at Dyn, a company that provides domain name services to many of the most popular sites on the web. Because Dyn is a necessary part of the infrastructure for so many sites, much of the Internet was either sluggish or largely inaccessible as the attack progressed.
The hacker(s) behind the attack broke into millions of digital video cameras and digital video recorders and then used them to flood Dyn with junk data.
Hackers can also use their access to conduct smaller consumer-level attacks. For example, if they gain access to a climate control system, they’re free to set the temperature to whatever they want. If the system is controlling the heat or cooling system of a datacenter, they could run the heater at full blast and bring the computing resources offline due thermal overload. If a hacker gains access to a video conferencing system, they could record what takes place or use the video feed to gain operational intelligence, i.e. the best time to mount an attack.
These types of attacks show just how vulnerable the Internet, which is now an integral part of the critical infrastructure of the US and many other countries, is to disruptive abuse conducted at scale, by persons whose identity is not immediately ascertainable. With an expected 200 billion connected devices around the world by 2020, we will see more attacks that take advantage of security vulnerabilities in IoT devices connected to the Internet.
What Preventative Measures Can You Take?
As always, may the buyer beware! You should research potential IoT purchases for security weaknesses before purchasing. Specifically, all devices in your home should possess the capability of customizing the username/password for it (more on that below). Additionally, Google, Amazon, and YouTube reviews should be used to verify that the device you are looking at purchasing isn’t a known susceptible device.
One way to easily check if your devices are vulnerable is to use Shodan, a search engine for Internet-connected devices that appear vulnerable to their scanner. You’ll need to know your public Internet IP so you can begin a search in the Shodan Database.
While blocking access to your devices is not always possible, there are several measures the average consumer can take:
- Vary/regularly change your password: This seems like a given these days, but it bears repeating. Because almost all manufacturers ship devices with default passwords, it is important to change the password to one that is strong and unique. Make sure you do not use the same password for all of your IoT devices and try not to use your “primary” email address as your IoT username. It’s a common tactic for bad actors to try to phish your email account to try to get your password. Also, regularly change your password – every 90 days at a minimum.
- Use strong authentication: Many consumer devices still ship with weak default passwords (admin/admin) which many users don’t update. Manufacturers should require updating with strong passwords before a device can be used.
- Resetting a device to factory settings: This can delete any malware that’s already embedded. Once that happens, searching the web for the make and model of your device should yield a user and password combination along with a web address you can then key into a browser. That should turn up the device’s administration panel. Remember, factory resetting a device may restore it to a state where it can be re-infected, so you may need to disconnect it from the network until you can get it fully patched.
- Disable non-essential services: Many devices are being shipped with telnet, FTP and other high-risk services exposed to the internet. This is the case with the latest DDoS botnet.
- Use secure protocols: Protocols such as HTTPS and SSH are designed to support encryption and strong authentication. Enable these whenever possible.
- Deploy security gateways: The ability to inspect, audit and control the communications into and out of your network is essential as the number, variety, and complexity of connected devices increases.
- Check data integrity: The internet is an unreliable communications medium, and while protocols attempt to introduce reliability, data transfers can be interrupted or corrupted, notwithstanding malicious attempts to hijack communications.
- Continually Update: Critical vulnerabilities like Shellshock and Heartbleed continue to be found at the heart of internet connected devices. Planning for future upgrades to device software is essential. These updates will increasingly happen over the air and may need to be performed rapidly depending upon the criticality of the update.
- Ensure internet-managed and IoT management hubs and services are secure: If you choose to use a hub or service that allows management of multiple IoT devices, be aware these services can be a central access point to compromise all of your devices. Look for robust, built-in security capabilities that will easily integrate into existing systems. Same goes for internet managed IoT devices; remember, the weak point for these devices is how you can connect to them from the Internet.
But not all devices can be made less vulnerable. Some manufacturers have simply left too many doors open to potential hackers, meaning they are vulnerable for use in the next huge DDoS attack. Once this happens, responsible vendors may issue a recall for the unpatchable device, and the consumer may seek a refund from the retailer.
You can check to see if any of your IPs have been targeted by the DDoS botnets by keeping tabs on this twitter feed: https://twitter.com/MiraiAttacks
We’ve highlighted just some of the things that individuals can do to secure their personal devices. Given today’s threat landscape, end users simply cannot afford to disregard these kinds of attacks. The risk is too severe. Corporations and organizations are also faced with a rather daunting task when it comes to securing all the numerous devices that may come into contact with their diverse networks.
If your company is interested in beginning a conversation around securing IoT devices in the enterprise, please reach out. zvelo would love to discuss our unique approach to securing your IoT devices.
About the Author
Eric Watkins is our Senior Malicious Detection Researcher and he brings 20+ years of combined information security and IT experience to zvelo. When not haunting DEF CON, Eric leverages his deep knowledge in Information Security by utilizing an extensive background in research, engineering and IT security architecture. Additionally, his unique perspective in penetration testing and IT security audit experience to validate website threat vectors will further enhance zvelo’s malicious detection services.