This piece is part 2 of our ongoing series on IoT security. Read part 1 here. Don't forget to download the eBook to understand the IoT security gap and how your business needs to address it, today.
The Day of the DDoS
October of 2016 began a bit differently than other months. The world had just seen the release of source code called Mirai, the same code responsible for the IoT botnet that had exerted a massive DDoS attack on KrebsOnSecurity in September. The code’s release, as described by Krebs, virtually guaranteed “that the Internet (would) soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.”
Less than a month after KrebsOnSecurity commented on the code leak, a distinct Mirai-powered zombie botnet was unleashed on Dyn, one of the largest DNS providers in the world, in three attacks. Internet access fell in many major cities, and the global plugged-in population caught a glimpse of the way IoT vulnerabilities can cause business disruptions and slow our personal online activities way, way down. If you wanted to reach major sites like Twitter, Amazon or Reddit, or to make a payment through PayPal? Too bad.
Here’s how an attack like this (generally) goes down: The malware scans the internet for vulnerable IoT systems. Vulnerabilities might include seemingly innocuous device traits, such as a factory default username. The devices are hijacked. They become soldiers, reporting back to a controlling server. The traffic begins. In this case, the connected world ground to a relative halt.
As revealed in Dyn’s statements just days later, the “complex and sophisticated” attack used “maliciously targeted, masked TCP and UDP traffic” (of which the Mirai botnet was the primary source, though other botnet slaves also contributed) over port 53. Because “The attack generated compounding recursive DNS retry traffic,” the impact was massive.
For the consumers affected by the outages, the effects were noticeable, but the long-term consequences minimal. For businesses affected, there was a choice to be made: keep your trust in Dyn with the expectation that the company will mitigate these types of attacks even more strictly in the future (it’s worth noting that much of the malicious traffic was mitigated) or leave Dyn behind and choose another company. Eight percent of Dyn customers chose the latter. Eight percent is a hefty number, though, when it comes to losing.
As for the total revenue lost on that fateful Friday, when big players such as Ticketmaster, Amazon and PayPal were unreachable? We can only imagine.
Fact: There are at roughly 500,000 known Mirai botnets. Let’s talk about the one that almost brought down an entire nation.
Liberia on the Edge
After the Dyn fiasco, security researcher Kevin Beaumont began monitoring botnet attacks. As reported by TechRepublic and by Beaumont on Medium, he saw one botnet in particular going after larger targets with a high rate of success. It was botnet #14, the largest of the Mirai botnets, and it was controlled by a domain that pre-dated October 21, Beaumont reported.
Liberia’s singular cable for internet structure makes for easy exploitation. Beaumont reported that websites hosted in the nation were coming down. The botnet sent Twitter messages, including one we might assume was directed at Beaumont specifically: kevin.lies.in.fear.
The Liberia attack might not have been big news for anyone outside the security community, but it makes our list because of its implications. As Beaumont wrote, “The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state.”
Dahua: Welcome to 2017
On March 5, 2017, major IoT device manufacturer Dahua learned about a software flaw when a researcher discovered he could bypass authentication on some devices, possibly allowing for display of usernames and hashed passwords, according to JP Buntix of themerkle.com. While a hashed password is great, simple encryption makes for simple cracking. Dahua issued immediate patches, but you should know about this attack because of Dahua’s size (it’s the second largest IoT hardware manufacturer) and again, because of the implications: if they can’t harden devices before release, who can?
CloudPets: Not a Botnet, Still a Problem
Though CloudPets was slow to respond to a ransomware threat and did not immediately alert users, that doesn’t mean the hack doesn’t matter. As Selina Larson wrote for CNN Tech, “According to a report compiled by security researcher Troy Hunt, over 820,000 user accounts were exposed. That includes 2.2 million voice recordings.”
CloudPets allows parents to upload and download audio messages for their children by connecting over Bluetooth. That information was all stored in the cloud, and when hackers got a hold of it, they demanded ransomware. CloudPets apparently restored the data from a backup, according to CNN.
“These are potentially intimate conversations. That data wasn't handled as if the company recognized how precious that is. When we look at it through that lens, the protection of that transaction was woefully lacking." says Yolanda Smith, director of product management at Pwnie Express. And therein lies the problem: despite the incredibly private nature of the data, no one really seemed to care.
Miele: Washer/Sanitizer Gets Dirty
In November 2016, a German researcher discovered a vulnerability in the Miele Professional PG 8528 appliance, a washing and sanitizing device for medical instruments, such as those used in surgery and laboratory work. When the researcher, Jens Regel, informed the company, he didn't receive a response for three months. The Web Server Directory Traversal vulnerability allows remote attackers to access directories other than the directories needed by web server, giving them the ability to thieve data and insert and initiate malicious code.
With no patch released, the bug persisted, leaving hospital systems vulnerable. Not only is health-related data highly sensitive and subject to strict compliance mandates, but an attack executed via malware injected into a device such as this could render a hospital unable to operate, potentially affecting revenue, reputation and literal life.
One scary truth about botnet attacks, specifically: the people responsible for the security of the devices commandeered for slavery don't feel the pain of the attacks, except as service users themselves. The device owners and manufacturers have no personal incentive to take responsibility, possibly perpetuating the potential for attacks in the future. And that reality came to light in our 2017 Internet of Evil Things survey, which revealed that while 84 percent of respondents said Mirai changed their perceptions of IoT device threats, 66 percent of respondents still said they either haven’t checked or don’t know how to check their devices for Mirai.
Rick Farina, director of research and development at Pwnie Express, confirms that lack of consequence is a continued concern.
“The problem is, people don’t see enough of an effect when their devices are taken over, because the attacker’s goal is just to use a bunch of devices to form the attack. But what if there were a different narrative? A botnet, at its core, is a group of devices that the botmaster(s) have control over. They choose what they want to do with it. What if, instead of burning up a bunch of your upload bandwidth, the attackers did a local area network attack and not a DDoS attack? What if they wanted to sabotage a critical business system or render a business function unavailable?
“They can use their position on the victim’s network. They could get access to something fun (for them), like all of your servers. For example, there has to be a server monitoring that HVAC unit that’s part of the botnet. With access to that HVAC unit, suddenly, the attacker is on your server,” Farina explains. “Denial of Service is annoying, but for most people, it’s not that big of a deal. If you think about what the botnet factor represents, though, it’s a computer on your network that someone else has control over.”
And that can have all sorts of terrifying effects. “What if there is a 65,000 device botnet that’s passively stealing personal data? Maybe it’s actually even more prevalent than that, and we just don’t see it,” says Farina. “Maybe we only notice the big stuff when it’s all uniform and targeted in one place. With some of the ‘largest’ botnets discovered, we have no idea if they were actually some of the smallest botnets currently active or not.” If the security community doesn't even know about the botnet as a whole, your business certainly won't be on the lookout for it — unless you're on the lookout for everything, all the time.
Discover more about how the gaping holes in IoT security can be filled by reading our eBook, The IoT Security Gap: What to Know, What to Do.