The Internet of Things (IoT) has been referred to
by so many different names in the past year. The Internet of Terror, the Internet of Trash and a few other
catchy monikers to account for the large amount of vulnerabilities present in
new devices that are increasingly present in many homes.
Things like smart thermostats, internet camera
devices, internet enabled refrigerators and smart washing machines fall into
the IoT category. These devices, while presenting a multitude of functionality
for controlling various mundane aspects of everyday life, such as locking your
front door and turning off appliances in your home, also offer criminals a new
attack platform: your appliances.
Now, attackers are leveraging these new, IP based
devices to launch some of the most torrential network distributed denial of
service (DDoS) attacks that have been recorded in history. What are the
inherent risks associated with these devices? What is the best way to protect
home devices from being attacked by outside users? Is there a happy medium between
usability of IoT devices and security?
We will be looking closely at these aspects,
provide some insight into the rise of the Hive Mind: Infected/Affected IoT
devices, and discuss the best ways to make sure your devices are not affected
by malicious actors.
IoT devices
The Internet of Things can best be described
as “the internetworking of physical devices, vehicles (also referred
to as ‘connected devices’ and ‘smart devices’), buildings and other items,
embedded with electronics, software, sensors, actuators,
and network connectivity that enable these objects to collect and
exchange data”.
In short, it takes the devices in your home,
combines them with a few controllable electronic components, adds a network
interface, then calls them ‘smart’ because you can now control them with a
phone, computer or tablet. The goal is to automate the home or business in a
similar fashion to a computer or any other automated process.
If you do not use a constant process, you have it
shut down, like a light. You can schedule jobs, like washing clothes and
perform conditional tasks like turning off the heater if temperature exceeds a
certain temperature. The theory is sound, as having these items work for you –
instead of you working for them – offers you more free time, as well as
allowing you to do things that you could not have imagined with household
appliances (like get alerts on your phone if someone approaches your front door
or lock your doors to your home from half a world away).
Looking deeper at the business and industrial
sectors, items like critical city infrastructure and centrifuges are controlled
by computer based systems instead of manual controls, and every day are
becoming more available for control using network based interfaces. Granted,
critical infrastructure perimeter defenses (like government, enterprise
business) should be hardened, however, a few times items have been able
to jump from digital code to affecting physical objects (remember Stuxnet?).
However, the next portion is best summarized in the Spiderman comic series:
“With great power, comes great responsibility.”
IoT Security Problems
When mentioning IoT to security experts, the whole
ordeal becomes the “Tower of Security Babble”. There is no unification in
theory, coding or protection methods for these devices. People have different
ideas on how to best protect the devices. Some go with the theory of applying a
firewall like device in your home or business to regulate control of the
devices to authorized users and filter traffic.
Some companies are looking at certificate-based
options, allowing only parties with the appropriate security certificate to
control the devices, removing unauthorized users from the equation. In the end,
there are so many options that sometimes the easiest ones are missed, like
using a default password that everyone knows. Also, under no circumstance, in
2016, should a telnet server be running on a public facing device.
Why? Well, few weeks ago, the Mirai virus source code was released on the regular internet
as well as various darknet avenues. The malware was used most recently in an attack on the Brian Krebs website. The attack generated record
amounts of traffic that the company Akamai had to remove the Krebs website from
its servers as it was too damaging to keep it in place. Google eventually
stepped in utilizing their Project Shield,
a service aimed to assist journalists or other public facing people that incur
a DDoS attack.
The malware software itself is very basic and
seemingly not yet completed as the coding reveals. The issue remains that it
still works well. The malware is cross platform, written in C and GO, a recent programming language created
by Google in about 2007. The malware package is cross platform as well, and
runs on both 32 and 64 bit architectures, allowing for a greater infection
platform. It has three main components; a command and control module that
phones home and allows for communications, a network scanner that allows for
pivoting and the further infection of other IoT devices and an attack module,
allowing for the use and abuse of legitimate network traffic once a target is
defined by the command module.
The scary part of this is that the malware will
(and has) infected other IoT devices by scanning a network and abusing a
protocol (Telnet) that was originally created in 1969 and offers little in the
way of security. The other scary part is that the affected devices contain one
of 65 well known and used passwords used by telnet to authenticate to the
device, which, when utilized, leads to the compromise of the device, turning it
into another zombie in the IoT bot army.
In writing this article, another oddity (attack)
hit. On Friday – October 21st – as this article was being penned, Dyn DNS was hit by one of the largest cyberattacks recorded,
removing access for millions of users to notable sites like Amazon, Netflix,
ETSY and a whole lot more. These are the first strikes in what is due to be
a very fast and expansive spread of IoT based botnets (more insight on this
from Stephen Cobb). With all of these vulnerabilities and attacks
taking place, how can you protect yourself or your business from being taken
advantage of online when using IoT devices?
IoT protection
When using these devices, look at them like another
computer asset in your organization. If you are using them in the house, look
at them as a door that needs to be locked. Using just a few of these steps can
help reduce attacks or future infection of your IoT based devices:
1.
Change the
default password. This can be a chore,
however, it is a very manageable step to remove a vulnerability from your
network.
2.
Use a HTTPS
interface when possible. If you log in
using a computer to manage your devices, default to an HTTPS gateway, removing
clear text or man-in-the-middle attacks form affecting your password or device
security.
3.
If you do not
need it, turn it off. If the
device offers extra connection protocols (SSH, Telnet, other) that are not in
use and they have the ability to be turned off, disable them immediately.
Removing the port from a listening state will remove an ability for it to be
exploited.
Using just these three simple and basic items will
reduce greatly the ability for an attacker to utilize your IoT device (and more
importantly, the network traffic they generate) as a weapon of cyberwar.