Humble IoT devices grow fangs and threaten DDoS attacks

Phil Marshall/Tolaga Research
15 Aug 2017

Consumers across the globe are eager to capitalize on the Internet-of-Things (IoT), to monitor, manage and control their electronic equipment over the internet, through cloud services and from their smartphones.

The range of consumer electronic devices being connected to the internet includes surveillance cameras, smart televisions, DVRs, residential thermostats, and other home convenience and security devices. These devices can be purchased from consumer electronic stores and provide convenient plug-and-play capabilities for rapid deployment.

This seemingly ideal solution for consumers has created crippling challenges for internet security. Most notably, devices are often shipped with remote access capabilities enabled-and with default administrative security credentials that are seldom changed. The devices are vulnerable to attack, with the attacker having access to the administrative functions of the device.

Protect your IoT devices?

There’s growing awareness of IoT security threats, but many organizations still don’t give security priority. Too often, customer experience or time-to-market requirements take precedence over security requirements, leaving security functionality out of final production deployments.

Forrester’s interactions with end-user clients over the past two years show four reasons that security pros struggle to deal with IoT security:

  • Firmware and other operational software is digitally signed, to restrict malicious command and control software attacks.
  • Password keys are stored in protected memory and administrative functionality is appropriately constrained, to restrict the scope of potential attacks.
  • Sufficient server-side security mechanisms are implemented, to reduce the potential for man-in-the-middle (MITM) attacks.

Yet these and other basic security features are typically excluded from consumer electronic devices. Most device manufacturers earn profit by cranking out low-margin devices by the container-load, with security being an after-thought-or not thought of at all.

The weaponized IoT

While insecure IoT devices are vulnerable to a variety of attacks-including ransomware, reconnaissance, and eavesdropping-the devices are also being weaponized to attack the internet with DDoS attacks. Once an attacker has infected a sufficient number (possibly hundreds of thousands) of IoT devices with command-and-control capabilities, an attack can be launched by having these devices flood traffic to critical internet infrastructure, such as Domain Name Servers (DNS). Since these servers are responsible for translating URL addresses into IP addresses, many websites are disrupted when the servers are successfully attacked. For example, on October 21, 2016, Dyn, a DNS now owned by Oracle, was crippled by a massive DDoS attack which impacted several high-profile websites including GitHub, Twitter, Reddit, Netflix and Airbnb. The attack was attributed to the Mirai botnet, which had spread across insecure IoT devices.

The Mirai botnet was not the first DDoS attack of its kind, but it gained widespread recognition because of the devastating and widely publicized impact that it had on the internet and several high-profile consumer internet services. Since the attack, Mirai has been published as open-source and is being adapted and incorporated in other malicious software. For example:

  • A Mirai-infected device can be cleansed when rebooted (so long as the user name and password is changed promptly). But in July 2017, a variant of Mirai was observed which remained in devices even after they were rebooted.
  • Mirai scans for devices with the standard telnet port 23. Although some device manufacturers have changed the port number they use for telnet, these new port numbers are now being scanned by Mirai variants.
  • When initially launched, Mirai targeted the default credentials of approximately 60 devices. This list has been extended and updated in subsequent variants of Mirai.

Some variants of Mirai use different attack-vectors to gain device access. One such vector capitalizes on a security vulnerability that has been identified in some implementations of the TR-064 and TR-069 protocols, which are commonly used for remote device access. This vulnerability compromises insecure internet-enabled remote access functionality that was originally intended for LANs. Not all implementations of TR-064 and 069 are vulnerable to this attack vector. In some cases, attacks have caused TR-064 enabled devices crash because of the malformed HTTP messages, instead of enabling malicious access.

Long arm of the law

Efforts have been made to force accountability on IoT device manufacturers for selling insecure products, thus making them lawsuit targets and forcing product recalls. For example, in October 2016, mainland-based IoT device manufacturer Xiongmai issued a product recall after it was revealed that many of its devices were used for DDoS attacks and that the products lacked basic security features such as effective password management. By the time the vulnerability was discovered and product recalls initiated, it is believed that several million devices had been hacked.

In January 2017, the United States Federal Trade Commission (FTC) took legal action against D-Link for allegedly not implementing adequate security in its wireless routers and internet cameras. It is conceivable that the FTC case could set a precedent for legal action against other device manufacturers in the future.

The EU has mooted a certification scheme to identify and label devices that it deems secure. However, we believe this approach may not be ideal as security vulnerabilities and attack vectors change continually. This makes it unlikely for a device that is secure at the time of manufacture to remain secure throughout its deployment lifecycle (which is often more than a decade). Furthermore, we believe that when devices are deemed secure by the EU’s scheme, they might become specific targets for hackers as they are now more trusted.

How to proceed?

ISPs can play a greater role in protecting the internet from infected devices as they have network traffic visibility and can associate their subscribers with IP addresses. But device quarantining is costly and complex for ISPs and difficult to manage given the volume and global distribution of attacks, and the complexities in pinpointing IPv4 devices that have alias addresses. Quarantining would also create customer service challenges and potentially have a negative impact on an ISP’s brand and market reputation.

As security professionals, enterprises, service providers, and technology companies respond to IoT security threats, new tools are crafted and security taxonomies developed. Security professionals now focus attention on threats from IoT devices, and develop methods to rapidly identify and mitigate the impact of attacks when they occur.

Enterprises are encouraged to monitor network traffic, recognizing the potential for both external and insider attacks. They are also encouraged to introduce strict security policies for IoT devices by ensuring that these devices are patched with the latest software updates and operate on independent subnets.

Service providers are introducing technologies for monitoring application and network traffic to identify potential attacks. Emerging heuristics and machine-learning solutions are playing an increasing role in security, and are needed to address the porous and dynamic security environments increasingly becoming a hallmark of our connected world.

Phil Marshall is chief research officer at Tolaga Research

This article first appeared in Telecom Asia 5G Security Insights July/August 2017 Edition

Related content

No Comments Yet! Be the first to share what you think!