Beyond IoT Botnets and DDoS Attacks - The Insecurity of Things Goes Mainstream

Security researchers have been warning about the threat from IoT devices for years! The massive deployment scale and utter lack of security make networked embedded devices (aka The Internet of Things) prime targets. As early as 2015, Stephen Ridley, now CTO at Senrio briefed the US government and intelligence community on IoT security - or rather the lack thereof (see excerpt in the box). 

​“We are just before the curve on embedded security. There are sparce product and service offerings in this area now simply because of the uncanny valley. We also haven’t yet experienced the big watershed event that will cause the reactionary security industry to shift focus - but that appears imminent.”​ Stephen Ridley briefing US government and Intelligence Agencies in early 2015

Friday's Internet outages and the DDOS attack on security journalist Brian Krebs are just the tip of the iceberg of the types of damage IoT vulnerabilities could cause.

The media has largely focused on the escalation of volume in the recent DDoS attacks. On September 20 the KrebsOnSecurity website logged an attack of 620 Gbps originating from an estimated 165,000 unique devices. Shortly after, French hosting firm OVH was attacked from 145,000 devices, reaching peak bandwidth of 1 TBps. The latest round of attack does not seem to use brute force bandwidth but rather slow-drip and sustained methods. Dyn has confirmed that the Mirai botnet was involved in the attack but reports as to the bandwidth and the number of involved devices are not confirmed.  This new level of sophistication is notable. The attack methods are varied and behave like tool kits where multiple types of attacks can be delivered from a single infected device. Also new kits, like Mirai, are built for many, many platforms, which speaks to a large effort on the programming side to build the botnet. This means, a wide variety of compromised devices can be used in the same attack (not just cameras from vendor A but also routers from vendor B and DVRs from vendors C, D, and E). 

​DDoS is just the beginning, like it was with PCs in the mid-90s. What follows is an escalation into ransomware, spyware and other criminal pursuits. 

"I Don't Have IoT On My Network" 

You might think you and your network are safe because you don't have IoT devices in your home, hospital, factory or utility. Think again.

​At Senrio (and previously Xipiter), our team helped device manufacturers secure their products and trained security researchers on the unique threats coming from embedded devices. We have been warning about this for years. Unfortunately the problem isn't exclusive to DDoS and Internet outages. The same technologies that power "IoT" also automate elevators, traffic lights, medical devices, power stations, industrial manufacturing facilities, farms/agriculture, and communications. These embedded devices or mini computers have not benefitted from the years of improvement and iteration that servers and desktops have. We “got lucky” in this latest attack; it is actually a relatively harmless symptom of a greater problem.

When we talk to CIOs and CISOs at hospitals, factories and utilities, they rarely connect the headlines from consumer IoT to what might be going on in their own networks. “We don’t use IoT,” is a common response. As you look closer, you find IP-connected industrial controllers (PLCs), gateways androuters, lab equipment and insulin pumps everywhere. Nobody is responsible for them as they are outside the purview of corporate IT and in the blindspot of traditional security tools. 

What Can You Do?

That really depends on who you are.

If you are a consumer: Follow basic cyber hygiene practices.

1. Change the default password on your device (the latest attacks were launched using factory-set credentials) 
2. Make sure your devices are up to date. Manufacturers will post patches to known vulnerabilities. 
3. Invest in IoT monitoring solutions that tell you when your devices get hijacked by malicious actors.

​There is a real need for consumer advocacy. Until then, consumers need to rely on published works by security researchers and stay away from vendors that show a negligent and almost criminal disregard for security. 

If you are an IT or security manager: Know what devices you have and what they are doing.

1. Know what is on your network: Many network managers are unaware of the sheer number of embedded devices lurking on their networks: VoIP phones, security cameras, smart TVs, remote power management units, HVAC systems, gateways, routers, industrial controllers, etc. 
2. Keep your devices up to date: Some environments make it challenging to update firmware due to re-certification requirements (health care) or up-time concerns (factory floor). Known vulnerabilities remain unpatched even when the manufacturer publishes a fix. The update rate depends on the sector but averages about 10% for the first 12 months after a security update is made available. 
3. Continuously monitor your network with a tool designed for IoT devices: Unlike traditional endpoints, embedded devices are compromised through abuse, misuse, or misconfiguration. Monitoring devices and the way they behave becomes critical as bad actors fly under the radar of traditional firewalls and intrusion detection systems.

Try Senrio Now

If you are a manufacturer: Step up your security game! 

1. Don’t make security an afterthought! Security is suffering from the same status as quality control a decade ago. Performing a security audit when the product is ready to ship is too late in the process as necessary changes are expensive and incur delays in going to market. 
2. Improve hardware security. Hardware manufacturers are not thinking about vulnerabilities in hardware as a way to make it easy for an attacker to get at the software. For instance, leaving debugging interfaces exposed provides attackers the keys to the kingdom. Regular firmware audits and protecting the boot process are additional ways to secure the device against attackers running their own code. Ideally, provide visibility into firmware integrity after the device leaves the factory (sign up here to learn more).
3. Code reuse means vulnerability reuse. In an effort to drive down costs, manufacturers leverage code across multiple platforms or use firmware provided by 3rd party vendors. Thus, if a vulnerability is found in one device, it could be exploited in other devices sharing the same code base. Security experts recommend performing more audits (ideally at every change of the code base) and conducting risk assessments. These activities will help prioritize security efforts.

What Does the Future Hold?

We need to look beyond the immediate fallout from last week’s IoT-powered DDoS attack that took down websites temporarily and inconvenienced some of us. The underlying vulnerabilities found in CCTV cameras and DVRs propagate to other devices such as medical and industrial equipment. We have been sounding the alarm bells for years: networked embedded devices have access to corporate, medical, and defense networks. Traditional firewalls, intrusion prevention and user based analytics tools are blind to this new type of attack vector.

Manufacturers and network operators alike need to take the threat from IoT devices seriously and move to address this blind spot. Rather than looking for an “inside out” approach that hardens the devices against attack, we need to watch and learn how devices behave on the network. Knowing what is on your network and when malicious activity occurs is the first step in remediating, isolating and stopping the spread of the attack.