The Underwhelming Security of the Internet of Things (IoT)

The Underwhelming Security of the Internet of Things (IoT)

On September 20, Krebsonsecurity.com, the blog of renowned cyber security journalist Brian Krebs was overwhelmed by a huge distributed denial-of-service (DDoS) attack. It was initially fought off by engineers from Akamai, the content delivery network managing his site. Unfortunately, this attack was the largest Akamai had ever seen and the resources required to fend it off continued to grow at an alarming rate. When the performance finally started to affect Akamai’s other customers, they had to uncouple Krebs’ site and withdraw their protection.

Krebs’ site was down for several days while he sought out a new relationship with Google and their Project Shield, which protects organizations from DDoS attacks. During the onslaught, his site underwent an estimated 620 Gigabits (~16.5 DVDs) per second of traffic. While this may not be the biggest attack ever, it is still massive. The curious thing about it is that a large portion of the traffic was formed to appear like Generic Routing Encapsulation (GRE) data packets. This is a protocol that allows two peers to share information directly, instead of over a public network.

Most of the largest DDoS attacks had previously used DNS reflection. These types of attacks work by sending spoofed packets to a victim computer. The packets have a spoofed return address set to a specific target computer, which results in lots of victim computers all responding to a target computer simultaneously. Given enough victims these types of attacks can bring down even the most well defended targets. Unlike these attacks however, GRE traffic can’t be spoofed. This means that the attack against Krebs’ site required a large amount of hacked systems. The culprit turned out to be a botnet of compromised Internet-connected devices. Why hack a computer that is more likely to be secure when you have an insecure connected device just begging to be broken into?

Several days later, Hack Forums revealed the source code for this IoT botnet. Named “Mirai,” the malware spreads through devices that are protected with hard-coded or default usernames and passwords. These devices are infected with malicious software and turned into “bots,” which can be commanded by a central server to launch DDoS attacks—which are much more difficult to defend against.

According to Verisign, DDoS attacks increased by 75% in the first half of 2016, and the largest single attack in 2016 was more than double the size of the previous year. The Mirai botnet has given us a glimpse at how destructive unsecured devices can be. With the number of connected devices on the rise (estimates range from 20.8 billion to 1 trillion by 2020…it’s going to be a lot), we realistically expect these attacks to only get worse from here.

There Are Many Insecure IoT Devices Out There

For many connected devices, security is often added as an afterthought, if it all. If you have a device connected to your network it is entirely possible that it could already be part of a botnet. One of the primary reasons for this is that many devices ship with the same default passwords…and they don’t require owners to ever change them. That’s like being able to open every door in your neighborhood with the same key!

It gets worse. Some of the poor hygiene highlights of these devices include:

  • Hard-coded passwords in the device firmware: think changing the password means you are secure? Nope, those hard-coded passwords still work too.
  • Painted-door login mechanisms: that login screen you see isn’t actually enforced. Nope, you can just go to any admin page you want and skip that annoying login page. The device won’t even both to confirm that you’re an authenticated user.
  • Unencrypted Communication: many devices pass along information in the clear. This makes it incredibly easy to tamper with or intercept data from the device. Scary.
  • Susceptible user interfaces: this includes weak credentials and cross-site scripting (XSS) attacks.

Some devices can’t even update their firmware because of storage constraints–even if a security flaw has been identified. Other devices lack the processing power to host security software. This is very concerning, considering that these devices typically collect at least one piece of personal information. Think about how many devices you have and how much personal data is floating all around you.

Flawed security implementations and authentication mechanisms are also common in IoT devices. Samsung’s RF28HMELBSR Smart Fridge has an insecure SSL implementation that doesn’t validate certificates. This allows for MitM (man-in-the-middle) attacks. Boom, there goes your social media credentials–is having the Internet on your fridge really worth a Facebook hack?

It isn’t just fridges being hacked. How about your car? Security researcher Troy Hunt discovered a weakness with the Leaf Smartphone app that didn’t authenticate users. This allowed hackers to control multiple parts of the car, including the cooling system. An attacker could use this vulnerability to drain the battery and strand the user, but because the Leaf has such short range, this attack is limited.

There is a worrying lack of security standards when it comes to IoT devices. If these devices are unable to communicate their errors with the rest of the network, why are the connected? The connected device scene is very similar to the problematic times of the 90’s–the days of cowboy code. Rather than improving upon common libraries, many manufacturers are reinventing the wheel. Standardization is still a long way away, but we need better security protocols now. Until that day comes, it’s important to be educated about the limitations of your devices and what you can do to protect yourself.

How can I protect my devices now?

The best way to keep yourself safe is to minimize the damage that can be done if one of your devices is compromised. Someone breaking into your smart TV is likely using it as a foothold to penetrate further into your network. Some advice to stay safe:

  • Change the password on your devices: like many exploits, the harder target you make yourself, the less likely you are to be broken into.
    Read the fine print of the devices: understand what information is being gathered by your devices. This is the information that is at stake if your device becomes compromised.
  • Determine if the device is necessary: every device you put onto your network opens another potential attack vector. Choose secure reputable IoT devices whenever possible.
  • Update your software: bug fixes and security patches are typically covered in software updates. Once a threat is known, it’s likely someone may use that attack against you. Staying up-to-date ensures that you are not prone to outdated hacks and script kiddies.
  • Network considerations: do your devices need to be connected to the public Internet? Should they be on the same network as the rest of your infrastructure? Do you have a firewall and IDS in place (or one of these)? By configuring your network properly, you are able to help offset many of the security considerations to specialized hardware and software that helps protect against threats before a connection to the device is ever established.
  • Deprovisioning: before you get rid of a device remove your personal and business data. If this is not done, there may be enough sensitive information left to exploit you in the future.

Which Devices Are Most Susceptible?

While a range of devices could potentially be used to form a botnet, these were the most common ones involved in the DDoS attack on Krebs’ website:

  • Routers
  • Printers
  • Digital video recorders
  • Security cameras

Some brands that popped up in Krebs’ analysis included:

  • Dahua
  • HiSilicon
  • Panasonic
  • Realtek
  • Samsung
  • Xerox

Is My Device Part of a Botnet?

Even if you don’t own anything listed above, you may still have a device that is part of a botnet. All it takes is one device to compromise you. Use the following steps to clean a device you suspect may be infected:

  • Reboot Your Device: this will typically wipe Mirai (and other malware that may be present). If possible, restore the device to factory settings.
  • Go to the Administration Panel of Your Device: you may need to consult vendor documentation for this.
  • Change the Password: use a strong password that would not be easy for someone to guess.
  • Install firmware updates: you may need to consult vendor documentation on how to do this.

The Future of Botnets and the IoT

Because their security is woefully inadequate, IoT devices are excellent targets from which to stage large-scale DDoS attacks. There has been little to no regulation of manufacturers, which means companies often produce insecure products simply because it is cheaper to do so. On the bright side, the industry is moving towards standardization and has recently proposed a security labeling system to better educate consumers.

Is Your Business Ready to Fight Off an IoT Botnet?

These attacks are relatively cheap to stage and incredibly expensive to defend. Even the 800-pound-gorilla Akamai had to drop Krebs’ blog to protect their bottom line. Now that this code is readily available to anyone with an Internet connection, these IoT attacks are set to become more common and evolve even further (see?).

As the threat landscape continues to change, it is important to keep up with developments and respond accordingly. If an attack like this can bring down an esteemed security journalist for a few days, imagine what it could do to an unprepared business. Are you prepared?