The Internet of Things
What is the IoT?
As the cost of connecting to the Internet has gone down, more and more everyday devices are being made to connect online. These devices, from your Fitbit and WiFi enabled camera to your car and household appliances, make up the network of interconnected devices we call the Internet of Things. The number of “things” on the Internet is growing rapidly. Today, there are around 4.9 billion devices on the Internet, and some experts project that number will rise to 24 billion devices by 2020.
Not only can you be sure that there are designs in the works to connect most of your electrical devices to the Internet, but everything from the clothes you wear to the roads you drive on may soon also be equipped with sensors, Internet access, and other capabilities. Consumers, governments, and businesses are all taking part in the Internet of Things, introducing massive security vulnerabilities for cybercriminals to exploit.
IoT security flaws
When mass-producing cheap, connected devices, security isn’t always a priority for manufacturers. Over the past two years alone, participants at the hacking convention DEFCON have found 113 critical IoT security flaws, including ways to gain access to a smart door lock using the victim’s phone, ways to damage solar arrays, and ways to take control of smart wheelchairs.
Here are some common IoT flaws:
- Many IoT devices are manufactured with insecure default settings that are nearly impossible to change. Some devices may have hardcoded usernames and passwords, firmware that is impossible to update for a variety of reasons, or no system in place for disseminating security patches to customers.
- More and more data about users’ habits, locations, and activities are being entrusted to the manufacturers of IoT devices, and it can be put to unexpected uses. Without strong security and regulation in place, this information could be used by advertisers, criminals, or governments in ways that customers did not intend.
- Small processors in IoT devices often cannot support the most robust forms of encryption and other security best practices. A study by HP’s Fortify found that 7/10 of the IoT devices they tested don’t encrypt communication to local networks and the Internet, 7/10 allowed account enumeration, 6/10 were vulnerable to cross site scripting, and 8/10 didn’t require passwords of sufficient length or complexity.
The Mirai botnet attack
Some of these security flaws mean that IoT devices can be commandeered by malware and organized into a “botnet” that is used to bombard a target with traffic until it collapses under the load. This type of attack is called a distributed denial of service or DDoS attack. DDoS attacks are difficult to protect against since targets often can’t differentiate between legitimate and botnet traffic. They are effective because while building a botnet is cheap for attackers, targets usually don’t have the know-how or resources to resist a DDoS attack underway.
On October 21, 2016, the largest DDoS attack in history was levied against Dyn, a company that manages large portions of the Internet’s domain name system (DNS) infrastructure. DNS is the system by which URLs (which people can read) are resolved into IP addresses (which computers can read), making it essential to accessing websites. By taking down Dyn, this cyberattack was successful in bringing down sites like Netflix, Reddit, Twitter, Spotify, Soundcloud, and many others that depend on DYN’s services. The October 21 DDoS attack was accomplished mainly with a malware family called Mirai that searches the Internet for IoT devices that still use default usernames and passwords like “admin” and “password”, hijacks them, and incorporates them into a vast botnet that is then used to overwhelm its targets with traffic.
DDoS attacks are nothing new to cybersecurity, but they usually utilize botnets of PCs; this attack instead relied mostly on DVRs and IP cameras, which let it become much larger than other botnets (source). According to a blog post posted by Dyn, the attack involved 10’s of millions of IP addresses and was able to direct a record breaking 1.2Tb per second of data at its target. After 2 hours, Dyn was able to mitigate the attack, then mitigate again one hour after a second attack wave.
Soon after, an unidentified user using the moniker “Anna-senpai” released the source code used in the Dyn attack on Hackforums, most likely to ensure that they won’t be the only one found in possession of the code if law enforcement targets them. Of course, this also means that less skilled hackers now have access to the botnet. Recently, security journalist Brian Krebs wrote an extensive blog post tracing the identity and online presence of Anna-Senpai, which we highly recommend to anyone interested in the story. For even more information, you can look for his other stories covering the internet of things and the market that has evolved around it.
Could your device be infected?
Normally, many of the devices utilized in the Mirai botnet are behind routers and cannot be accessed directly from the Internet; in this case, Mirai got to these devices through ports opened automatically by Universal Plug and Play (UPnP), networking protocols that allow devices to discover each other's presence. If you suspect UPnP has opened a port on your device, Krebs recommends that users run Steve Gibson’s UPnP exposure test, UnPnP. If you have devices that still use a default password, rebooting them and resetting them to factory settings will wipe botnet malware off your device. Make sure you know how to change your default password from your administration panel immediately after you wipe your device, for it can be discovered and reinfected within minutes.
Unfortunately, even if you change your password using the web interface, botnets may still be able to access your device using other methods like telnet (a network protocol that allows users to remotely login to computers on the same network) and SSH (another protocol that allows users to connect remotely, intended for secure communication over insecure networks) interfaces. Many manufacturers hardcode devices with a default name and password that are not changed when you change your password using the web interface. Since these credentials cannot be feasibly changed without rebuilding the device’s hardware, manufacturers will have to be the ones to take responsibility of their devices’ security in the future.
Recent IoT based attacks have drawn attention to the security issues associated with the production of cheap and insecure devices. Consumers typically are driven by low costs rather than security standards, especially when the repercussions of insecure IoT devices don’t directly affect customers, as in the Dyn DDoS attack. Manufacturers are also reluctant to make changes that make their products less convenient for users. Government regulation of IoT devices is one solution that has been proposed to overcome the unique challenges of IoT security, including a regulation agency that enforces basic security, allowing companies like Dyn to sue IoT companies that are involved with large scale DDoS attacks. Large-scale DDoS attacks have also drawn the attention of Internet service providers, as insecure devices that are part of botnet hog bandwidth and slow performance. ISPs have started to crack down on the devices making up botnets. Ultimately, a solution to IoT security woes will require participation from all of these forces.