The internet of things, or IoT, can be incredibly convenient. We use connected devices in our office spaces, to control the temperature, add items to our shopping lists, query smart assistants and more. That convenience comes at a cost, and, without proper security, our IoT devices can be turned against us.
Brian Krebs, a well-respected security reporter, was recently attacked by one of the largest-ever distributed denial of service (DDoS). Had it not been so large, one might normally have shrugged the situation off, chalking it up to a bunch of hackers sitting in an IRC room somewhere, coordinating an attack against someone they didn’t like. Krebs, after all, had helped put two men behind bars after exposing their DDoS-for-hire service, vDOS. Plus, DDoS attacks happen all the time.
Krebs soon learned this was different, though.
Akamai, the service he pays to help his site stay online during attacks, said that the attack measured around 620 Gbps in size, which Krebs explained is “many orders of magnitude more traffic than is typically needed to knock most sites offline.”
What could possibly create such a huge attack? A botnet, for sure, but one that operates much differently than others.
It wasn’t a bunch of hackers who attacked Krebs. It was hundreds of thousands of connected devices, such as routers, IP cameras, DVRs, printers and computers sitting online unprotected, that were used to send such an incredible amount of data toward Krebs.
Source code for the IoT botnet, officially dubbed “Mirari,” was recently published on Hackforums by user Anna-senpai, which means these attacks are about to become a lot more common.
To better understand how IoT botnets work, what this means for us as consumers, and if these attacks can be stopped, I spoke with Rob Simon, senior security consultant at TrustedSec, and Filip Chytrý, product manager and head of threat intelligence at Avast, the firm that just acquired AVG.
How an IoT botnet like Mirai works
Mirai was built to scan the internet for devices that were connected using default login credentials. A Linux computer with root still set as the username and root as the password, for example, or maybe an IP camera still using “admin” and “password” as the login credentials, are the sorts of devices that were most vulnerable.
Mirai is able to scan for these devices and then, using a bunch of default usernames and passwords that it knows might work on a set of devices, begins to attempt to log in. If a login can be achieved, the device is easily added into the Mirai botnet. There are billions of these devices connected to the web.
“This is the big thing they used to create that botnet,” Simon said. “There are 50 or so known types of devices, and they’re listening on telnet port 23, and they have the credentials. You just copy over the code to run on that device, it connects back to a control center, and from there it just waits for your commands. Once all connected, about 380,000 devices are connected at once. You send a command to all of them to go load a page like Brian Krebs’ and they’re generating a lot of traffic.”
Here’s a sample of the sourcecode, which Avast sent us:
You don’t need malware to find exposed devices, though. One need only to browse Shodan.io with the right query to find all sorts of vulnerable devices. They’re everywhere.
At home and at work
In our homes, we might be protected by things like firewalls or our wireless router, but products are still vulnerable on their own. Sometimes, though, these gadgets just sit wide open to the web, even in the enterprise, allowing hackers to easily take over.
Simon explained that IoT in enterprise is particularly dangerous since a company’s IT department might not know how to fold a connected camera, something that might not have its own UI, into its existing security framework.
“Organizations aren’t doing a good job of making sure all of their devices are going through the same scrutiny. It’s harder to manage those,” Simon said. “You’re limited on the commands you can run, so [IT departments] often don’t bring them into the corporate policy.”
Simon also explained that passwords can be changed, sure, but oftentimes they’re hardcoded, too. Hackers can easily dig up instruction manuals or find online threads where other tinkerers have reverse-engineered connected devices, discovering hardcoded passwords and backdoors.
Once they’ve been hijacked, the devices can be switched from sending normal amounts of data to and from your computer, to sending massive amounts of data at a single target. Ultimately, the traffic from hundreds or thousands of these devices can exceed the throughput available to a website or a service, denying additional requests access.
That brings me to my next question.
How dangerous are these DDoS attacks, anyway?
DDoS attacks can be used to knock websites and services offline, but often that might just be little more than lost revenue to a site and an inconvenience to its customers. Are we, as a society, at risk? Can DDoS attacks take down a power grid or the stock exchange, for example?
Rob Simon helped me understand.
“If there is something critical for the stock exchange or power grid that is connected to the internet, it could be a target for Distributed Denial of Service (DDoS). There was an attack against a Ukrainian power grid last year in which malware took the systems offline and a denial of service attack was used against their phone system to prevent outage reports from reaching the operators,” Simon explained. “So the DDoS was not directly responsible, but it was used to prolong the effects of the outage by downing the phone system hampering communications.”
One can imagine the sort of damage this could cause in healthcare or during a physical attack, perhaps a terrorist attack, when communications are essential.
Can it be stopped?
Since botnets like Mirai rely on the laziness of end users, folks who aren’t updating firmware, aren’t changing default passwords or trying to protect their devices, it’s nearly impossible to stop the IoT from being used for attack.
Worse, while consumers and the enterprise have done a good job securing PCs, there isn’t exactly antivirus for the IoT. Curious if these sorts of attacks can be stopped, I asked Avast’s head of threat intelligence Filip Chytrý if there’s any stopping this from continuing to happen time and time again.
“These types of attacks will occur more frequently as time goes on,” Chytrý explained. “All you need to pull it off is a bad security setup and old or unsecured firmware – something you’ll frequently find in most IoT devices. Firmware almost never gets updated – take a router, for example: when was the last time you updated it? Most people would answer, ‘never.'”
“Unfortunately, this code is already out there, so it can’t be stopped,” Chytrý continued. “At this point, users can only take proactive steps to protect their IoT devices and monitor incoming traffic carefully – not something every user is going to be able to do. There are also steps which manufacturers can take in the future to help prevent the compromising of new devices. Unfortunately, nobody was really paying attention to this until now. This is something we expect to grow significantly going forward.”
What can we do to help?
On a PC, malware can be used to include that computer inside of a botnet. We’re better at fighting that kind of malware now. Microsoft has upped its security game in Windows 10, and new software from Avast/AVG/Symantec and other companies also helps protect consumers in this regard.
You can’t just scan your webcam for malware, however.
That’s why Simon and Chytrý suggest you update the firmware for all of your connected devices. Yes, that means updating the software for each lightbulb, each DVR, each camera that’s connected to the internet.
You should also change the default password, so botnets like Mirai, as they attempt to login to your devices, can’t get in as easily. They’ll just move right on to the next connected device, hoping the next one is insecure. If you’re more advanced or are running a business, use a firewall.
“Put the device behind a firewall if it does not need to be directly accessible over the internet,” Simon suggests. A corporation that doesn’t need remote access, for example, shouldn’t have a webcam that’s accessible outside the office. “Disable Universal Plug and Play (UPnP) on your router so the IoT device is not able to open up ports and expose itself to the internet,” he added, “and limit inbound traffic to only trusted IPs if it must be internet accessible.”
Vendors also need to change the way they’re building and selling devices.
Simon suggests they need to “start generating passwords on installs rather than using known defaults,” making it easier for users to change the default passwords, disabling tools like telnet and SSH and removing hardcoded credentials and backdoors. Vendors, Simon said, should also “follow the guidelines at OWASP Internet of Things (IoT) Project.”
We can only mitigate future attacks, though.
The threat exists
If I’ve understood Simon and Chytrý correctly, this is only the very beginning of IoT botnets that are capable of delivering attacks much more vicious than before.
We are, in many ways, at the mercy of the very devices sitting in our homes. Can’t stream HBO to your Apple TV? It might not just be a group of hackers attacking the service with a low-level attack, but rather a single hacker with the right botnet, executing commands that control the webcam sitting right behind you.
As companies like Google, Apple, Amazon, Samsung and LG continue to introduce hundreds of new connected devices, from refrigerators to voice-controlled digital assistants like Amazon Echo, the number of connected devices that might be used in an attack is only increasing. In fact, recent data from Gartner suggests that there will be more than 6.4 billion connected “things” by the end of this year. 21 billion devices are expected to be connected by 2020.
We certainly can’t stop the rate of innovation or adoption of these devices but can, and in fact need, to make sure we’re protecting ourselves by first protecting our devices.