February 21, 2017
On September 20, Krebsonsecurity.com, the blog of renowned cyber security journalist Brian Krebs was overwhelmed by a huge distributed denial-of-service (DDoS) attack. It was initially fought off by engineers from Akamai, the content delivery network managing his site. Unfortunately, this attack was the largest Akamai had ever seen and the resources required to fend it off continued to grow at an alarming rate. When the performance finally started to affect Akamai’s other customers, they had to uncouple Krebs’ site and withdraw their protection.
Krebs’ site was down for several days while he sought out a new relationship with Google and their Project Shield, which protects organizations from DDoS attacks. During the onslaught, his site underwent an estimated 620 Gigabits (~16.5 DVDs) per second of traffic. While this may not be the biggest attack ever, it is still massive. The curious thing about it is that a large portion of the traffic was formed to appear like Generic Routing Encapsulation (GRE) data packets. This is a protocol that allows two peers to share information directly, instead of over a public network.
Most of the largest DDoS attacks had previously used DNS reflection. These types of attacks work by sending spoofed packets to a victim computer. The packets have a spoofed return address set to a specific target computer, which results in lots of victim computers all responding to a target computer simultaneously. Given enough victims these types of attacks can bring down even the most well defended targets. Unlike these attacks however, GRE traffic can’t be spoofed. This means that the attack against Krebs’ site required a large amount of hacked systems. The culprit turned out to be a botnet of compromised Internet-connected devices. Why hack a computer that is more likely to be secure when you have an insecure connected device just begging to be broken into?
Several days later, Hack Forums revealed the source code for this IoT botnet. Named “Mirai,” the malware spreads through devices that are protected with hard-coded or default usernames and passwords. These devices are infected with malicious software and turned into “bots,” which can be commanded by a central server to launch DDoS attacks—which are much more difficult to defend against.
According to Verisign, DDoS attacks increased by 75% in the first half of 2016, and the largest single attack in 2016 was more than double the size of the previous year. The Mirai botnet has given us a glimpse at how destructive unsecured devices can be. With the number of connected devices on the rise (estimates range from 20.8 billion to 1 trillion by 2020…it’s going to be a lot), we realistically expect these attacks to only get worse from here.
For many connected devices, security is often added as an afterthought, if it all. If you have a device connected to your network it is entirely possible that it could already be part of a botnet. One of the primary reasons for this is that many devices ship with the same default passwords…and they don’t require owners to ever change them. That’s like being able to open every door in your neighborhood with the same key!
It gets worse. Some of the poor hygiene highlights of these devices include:
Some devices can’t even update their firmware because of storage constraints–even if a security flaw has been identified. Other devices lack the processing power to host security software. This is very concerning, considering that these devices typically collect at least one piece of personal information. Think about how many devices you have and how much personal data is floating all around you.
Flawed security implementations and authentication mechanisms are also common in IoT devices. Samsung’s RF28HMELBSR Smart Fridge has an insecure SSL implementation that doesn’t validate certificates. This allows for MitM (man-in-the-middle) attacks. Boom, there goes your social media credentials–is having the Internet on your fridge really worth a Facebook hack?
It isn’t just fridges being hacked. How about your car? Security researcher Troy Hunt discovered a weakness with the Leaf Smartphone app that didn’t authenticate users. This allowed hackers to control multiple parts of the car, including the cooling system. An attacker could use this vulnerability to drain the battery and strand the user, but because the Leaf has such short range, this attack is limited.
There is a worrying lack of security standards when it comes to IoT devices. If these devices are unable to communicate their errors with the rest of the network, why are the connected? The connected device scene is very similar to the problematic times of the 90’s–the days of cowboy code. Rather than improving upon common libraries, many manufacturers are reinventing the wheel. Standardization is still a long way away, but we need better security protocols now. Until that day comes, it’s important to be educated about the limitations of your devices and what you can do to protect yourself.
The best way to keep yourself safe is to minimize the damage that can be done if one of your devices is compromised. Someone breaking into your smart TV is likely using it as a foothold to penetrate further into your network. Some advice to stay safe:
While a range of devices could potentially be used to form a botnet, these were the most common ones involved in the DDoS attack on Krebs’ website:
Some brands that popped up in Krebs’ analysis included:
Even if you don’t own anything listed above, you may still have a device that is part of a botnet. All it takes is one device to compromise you. Use the following steps to clean a device you suspect may be infected:
Because their security is woefully inadequate, IoT devices are excellent targets from which to stage large-scale DDoS attacks. There has been little to no regulation of manufacturers, which means companies often produce insecure products simply because it is cheaper to do so. On the bright side, the industry is moving towards standardization and has recently proposed a security labeling system to better educate consumers.
These attacks are relatively cheap to stage and incredibly expensive to defend. Even the 800-pound-gorilla Akamai had to drop Krebs’ blog to protect their bottom line. Now that this code is readily available to anyone with an Internet connection, these IoT attacks are set to become more common and evolve even further (see?).
As the threat landscape continues to change, it is important to keep up with developments and respond accordingly. If an attack like this can bring down an esteemed security journalist for a few days, imagine what it could do to an unprepared business. Are you prepared?