27.10.16

The Hive Mind: When IoT devices go rogue



The Internet of Things (IoT) has been referred to by so many different names in the past year. The Internet of Terror, the Internet of Trash and a few other catchy monikers to account for the large amount of vulnerabilities present in new devices that are increasingly present in many homes.
Things like smart thermostats, internet camera devices, internet enabled refrigerators and smart washing machines fall into the IoT category. These devices, while presenting a multitude of functionality for controlling various mundane aspects of everyday life, such as locking your front door and turning off appliances in your home, also offer criminals a new attack platform: your appliances.
Now, attackers are leveraging these new, IP based devices to launch some of the most torrential network distributed denial of service (DDoS) attacks that have been recorded in history. What are the inherent risks associated with these devices? What is the best way to protect home devices from being attacked by outside users? Is there a happy medium between usability of IoT devices and security?
We will be looking closely at these aspects, provide some insight into the rise of the Hive Mind: Infected/Affected IoT devices, and discuss the best ways to make sure your devices are not affected by malicious actors.
IoT devices
The Internet of Things can best be described as “the internetworking of physical devices, vehicles (also referred to as ‘connected devices’ and ‘smart devices’), buildings and other items, embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data”.
In short, it takes the devices in your home, combines them with a few controllable electronic components, adds a network interface, then calls them ‘smart’ because you can now control them with a phone, computer or tablet. The goal is to automate the home or business in a similar fashion to a computer or any other automated process.
If you do not use a constant process, you have it shut down, like a light. You can schedule jobs, like washing clothes and perform conditional tasks like turning off the heater if temperature exceeds a certain temperature. The theory is sound, as having these items work for you – instead of you working for them – offers you more free time, as well as allowing you to do things that you could not have imagined with household appliances (like get alerts on your phone if someone approaches your front door or lock your doors to your home from half a world away).
Looking deeper at the business and industrial sectors, items like critical city infrastructure and centrifuges are controlled by computer based systems instead of manual controls, and every day are becoming more available for control using network based interfaces. Granted, critical infrastructure perimeter defenses (like government, enterprise business) should be hardened, however, a few times items have been able to jump from digital code to affecting physical objects (remember Stuxnet?). However, the next portion is best summarized in the Spiderman comic series: “With great power, comes great responsibility.”
IoT Security Problems
When mentioning IoT to security experts, the whole ordeal becomes the “Tower of Security Babble”. There is no unification in theory, coding or protection methods for these devices. People have different ideas on how to best protect the devices. Some go with the theory of applying a firewall like device in your home or business to regulate control of the devices to authorized users and filter traffic.
Some companies are looking at certificate-based options, allowing only parties with the appropriate security certificate to control the devices, removing unauthorized users from the equation. In the end, there are so many options that sometimes the easiest ones are missed, like using a default password that everyone knows. Also, under no circumstance, in 2016, should a telnet server be running on a public facing device.
Why? Well, few weeks ago, the Mirai virus source code was released on the regular internet as well as various darknet avenues. The malware was used most recently in an attack on the Brian Krebs website. The attack generated record amounts of traffic that the company Akamai had to remove the Krebs website from its servers as it was too damaging to keep it in place. Google eventually stepped in utilizing their Project Shield, a service aimed to assist journalists or other public facing people that incur a DDoS attack.
The malware software itself is very basic and seemingly not yet completed as the coding reveals. The issue remains that it still works well. The malware is cross platform, written in C and GO, a recent programming language created by Google in about 2007. The malware package is cross platform as well, and runs on both 32 and 64 bit architectures, allowing for a greater infection platform. It has three main components; a command and control module that phones home and allows for communications, a network scanner that allows for pivoting and the further infection of other IoT devices and an attack module, allowing for the use and abuse of legitimate network traffic once a target is defined by the command module.
The scary part of this is that the malware will (and has) infected other IoT devices by scanning a network and abusing a protocol (Telnet) that was originally created in 1969 and offers little in the way of security. The other scary part is that the affected devices contain one of 65 well known and used passwords used by telnet to authenticate to the device, which, when utilized, leads to the compromise of the device, turning it into another zombie in the IoT bot army.
In writing this article, another oddity (attack) hit. On Friday – October 21st – as this article was being penned, Dyn DNS was hit by one of the largest cyberattacks recorded, removing access for millions of users to notable sites like Amazon, Netflix, ETSY and a whole lot more. These are the first strikes in what is due to be a very fast and expansive spread of IoT based botnets (more insight on this from Stephen Cobb). With all of these vulnerabilities and attacks taking place, how can you protect yourself or your business from being taken advantage of online when using IoT devices?
IoT protection
When using these devices, look at them like another computer asset in your organization. If you are using them in the house, look at them as a door that needs to be locked. Using just a few of these steps can help reduce attacks or future infection of your IoT based devices:
1.     Change the default password. This can be a chore, however, it is a very manageable step to remove a vulnerability from your network.
2.     Use a HTTPS interface when possible. If you log in using a computer to manage your devices, default to an HTTPS gateway, removing clear text or man-in-the-middle attacks form affecting your password or device security.
3.     If you do not need it, turn it off. If the device offers extra connection protocols (SSH, Telnet, other) that are not in use and they have the ability to be turned off, disable them immediately. Removing the port from a listening state will remove an ability for it to be exploited.
Using just these three simple and basic items will reduce greatly the ability for an attacker to utilize your IoT device (and more importantly, the network traffic they generate) as a weapon of cyberwar.