Why more attacks leveraging the Internet of Things are inevitable

Connected 'smart' devices lack basic security safeguards

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The mas­sive Dis­trib­uted Denial of Ser­vice (DDoS) attack that cut con­sumers off from their favorite web haunts recent­ly was the loud­est warn­ing yet that cyber crim­i­nals can be expect­ed to take full advan­tage of gap­ing secu­ri­ty flaws atten­dant to the Inter­net of Things.

For much of the day, on Fri­day, Oct. 21, it was not pos­si­ble for most inter­net users to con­sis­tent­ly access Twit­ter, Spo­ti­fy, Net­flix, Ama­zon, Tum­blr, Red­dit and PayPal.

Using mal­ware, dubbed Mirai, an attack­er had assem­bled a sprawl­ing net­work of thou­sands of hacked CCTV video cam­eras and dig­i­tal video recorders, then direct­ed this IoT bot­net to swamp the mar­quee web prop­er­ties with waves of nui­sance pings, thus block­ing out legit­i­mate visitors.

Relat­ed: Shodan search engine can find IoT devices

Mirai is designed to take over light­weight Busy­Box soft­ware wide­ly used to con­trol IoT devices. The source code for Mirai can be found online and is free for any­one to use. Third­Cer­tain­ty asked Justin Har­vey, secu­ri­ty con­sul­tant at Gig­a­mon, and John Wu, CEO of secu­ri­ty start­up Gryphon, to flesh out the wider con­text and dis­cuss the go-for­ward impli­ca­tions. The text has been edit­ed for clar­i­ty and length:

Third­Cer­tain­ty: Why do you think these attack­ers went after Busy­Box systems?

John Wu, Gryphon Online Safety co-founder and CEO
John Wu, Gryphon Online Safe­ty co-founder and CEO

Wu: Because Busy­box is light­weight; it’s used on most IoT devices that have lim­it­ed mem­o­ry and pro­cess­ing. Busy­box is a util­i­ty with lots of use­ful commands.

Har­vey: Busy­Box is very stan­dard­ized. It is high­ly used in the field, and it also runs Lin­ux, so the inter­nals are very straight­for­ward and easy to dupli­cate in test­ing systems.

3C: How did the attack­er locate so many vul­ner­a­ble devices?

Wu: Stan­dard IP scan­ning would iden­ti­fy the devices, and then the attack­er could use the admin inter­face to install the mal­ware. These devices had weak default pass­words that allowed hack­ers to install Mirai.

Har­vey: Cross map­ping man­u­fac­tur­ers with types of devices. Then using the web­site Shodan to get a list of open devices. Once they had the list of devices, they could cre­ate a mas­sive­ly par­al­lel script to step through each and deter­mine whether they used the ver­sion of the OS they wanted.

3C: How many devices did they need to con­trol to car­ry out three waves of attacks over the course of 12 hours?

Har­vey: 300,000 to 500,000.

 Wu: Prob­a­bly a few hun­dred thou­sand devices. Because it’s dis­trib­uted, there is no way to sim­ply block all the IP addresses.

3C: Are there a lot of vul­ner­a­ble devices still out there, ripe for attack?

Justin Harvey, Gigamon security consultant
Justin Har­vey, Gig­a­mon secu­ri­ty consultant

Har­vey: Yes! Shodan spe­cial­izes in not­ing which devices are out there and which are open to the world. The devices used in this attack were but a small frac­tion of open or inse­cure IoT devices.

Wu: We don’t know exact­ly how many devices are still out there as sleep­er bots. Mirai also is active­ly recruit­ing new bots. From what I under­stand, these IoT devices had open chan­nels and the users had prac­ticed poor pass­word pro­tec­tion for root access to install addi­tion­al components.

3C: What do you expect attack­ers to focus on next?

Wu: I would expect the attacks to get larg­er and more sophis­ti­cat­ed. Mirai also is work­ing in the back­ground to recruit more devices. The next attack may not be as pub­lic since they’ve already shown what the bot­net net­work is capa­ble of.

Har­vey: I believe there is a sig­nif­i­cant risk of a large scale DDoS attack on Elec­tion Day. It could be against coun­ty reg­is­trars, could be against the media, or even web­sites like Twit­ter and Facebook.

3C: What should indi­vid­ual con­sumers be most con­cerned about at this point?

Har­vey: Con­sumers need bet­ter edu­ca­tion on chang­ing the default access and secu­ri­ty con­trols of their IoT devices. Man­u­fac­tur­ers need to take secu­ri­ty seri­ous­ly. Peri­od. Con­gress needs to step in, con­duct some hear­ings on IoT issues, and per­haps reg­u­late these devices.

 Wu: Con­sumers need to be con­cerned if their device is one of the devices already com­pro­mised or at risk of being com­pro­mised. They should con­tact the man­u­fac­tur­er to ask if a secu­ri­ty patch is avail­able. A sim­ple solu­tion would be to take the device offline, if it’s some­thing you can live without.

3C: What is the most impor­tant thing com­pa­ny deci­sion-mak­ers need to understand?

Wu: If you are depen­dent on the inter­net for your rev­enue and busi­ness, you should be plan­ning alter­na­tive com­mu­ni­ca­tion chan­nels. If DNS is crit­i­cal to your busi­ness, you should look at back­ups to just one ser­vice provider. Let peo­ple know that, if email is down, you can still get busi­ness done over the phone.

Har­vey: Busi­ness­es need to under­stand the impli­ca­tions to run­ning IoT devices with­in their com­pa­nies, and ques­tion the busi­ness need for using IoT devices ver­sus the convenience.

More sto­ries relat­ed to secu­ri­ty and the Inter­net of Things:
Data secu­ri­ty even more crit­i­cal as Inter­net of Things mul­ti­plies, morphs
Secu­ri­ty must be part of device design as Inter­net of Things evolves

Secur­ing the Inter­net of Things: ‘Side chan­nel attacks’ expose sen­si­tive data col­lect­ed by IoT devices



Posted in Data Breach, Data Security, Featured Story