by Thomas Jefferies
The pace of technology advancement has been staggering over the last 10-15 years. Advancements in circuit production and design have allowed for more and more devices to be given the capability to access the internet than we ever expected, using smaller and smaller chips and less and less power. Things like coffee pots, thermostats, network cameras and DVRs, televisions, watches, shoes, clothing, and even cars have been updated and expanded to allow visibility and control over the internet. These small devices and devices of this type are more prevalent than most would think, as well. As of 2016, there were approximately 6.4 billion internet connected appliances in use across the world.
Security of IoT Devices
Problematically, the vendors for most internet enabled devices do not focus deeply on the security of their devices. Additionally, these devices are historically extremely simple to configure and use, and most customers do not take the time to ensure that the devices are installed and configured in a secure way. Based on recent attack metrics, over 60% of known, publicly accessible IoT devices still have default or standard passwords that protect access to them. Additionally, the lack of security focus by the vendor leads to backdoor access and remote control access even in cases where users have changed the password. Due to this and issues of this type, September 2016 twice saw record breaking internet attacks that made use of insecure or poorly secured IoT devices to create the largest distributed Denial of Service attacks that had ever been recorded.
Botnet Attacks Exploit IoT Security
In September 2016, a botnet by the name of Mirai was responsible for two separate DDoS attacks in a 2 week period, shattering previous traffic records for DDoS attacks. The first occurred on September 20th, when a security researcher and journalist named Brian Krebs was targeted in response to an article posted that discussed DDoS for hire services on the darknet and how to address the threat. The attack against his blog used more than 380,000 enslaved IoT devices, generating 620Gbps of traffic at its peak. At the time that it occurred, this was the single largest DDoS attack ever witnessed. The amount of traffic was so high that Akamai, one of the largest CDNs in the country, was forced to release Brian Krebs as a client in order to ensure their other customers were not impacted by the staggering amount of bandwidth being pumped towards Brian Krebs’s site.
No more than one week later, a separate attack with the Mirai botnet on a French website host more than doubled the traffic seen on the Brian Krebs attack. Website host OVH saw traffic between 1.1Tbps and 1.5Tbps sustained for extended periods of time.
Even more troublingly, one of the largest DNS providers, Dyn, was just recently hit with three separate DDoS attacks attributed to the Mirai botnet. These DDoS attacks caused impact to many users as it prevented them from completing DNS lookups, causing page loads to fail for large, well known web content providers such as Spotify, Netflix, Twitter, Reddit, and more. Future attacks using this botnet on a greater scale may legitimately impact internet traffic on a global scale due to the sheer volume of traffic being generated.
What Can Users Do to Improve IoT Security?
This deeply underlines the necessity for users to be cautious and calculated when introducing internet enabled devices to their houses. The Mirai botnet works by attempting default usernames and passwords as well as privilege exploits against internet enabled devices. Due to this, it’s not difficult to protect yourself and your network from these threats. Here’s a quick list of things you can do to help close this gap and keep yourself protected:
- Always check with the vendor for updated firmware for your device before connecting it to the internet. Security vulnerabilities have been found in many of the IoT devices, and thankfully most vendors have released updates to address them.
- Always change the default password for any IoT devices you purchase, immediately. When possible, change the username as well.
- Do not provide DMZ access or direct internet access to IoT devices unless absolutely necessary. Instead, use private VPN or SSH tunneling for access to these devices.
- Never connect an IoT device to a private, non-personal network unless you have explicit authorization to do so. This includes corporate networks.
- Recognize that purchasing an IoT device and utilizing the internet connectivity opens up the potential for security vulnerabilities, just as any laptop or desktop can be vulnerable based on its software complement. Treat the devices as though they are members of your network in the same way that laptops or desktops are, and do not allow their use if it violates company security policy or posture.
- Recognize that like other hardware and software, these devices should be reviewed on a regular basis for firmware updates, security vulnerabilities, and patched accordingly.
These simple steps would go a long way to reducing the number of vulnerable IoT devices on the public internet. As the amount of these devices will go up at an exponential rate, it is important that the security of these devices not be overlooked. With two record breaking attacks in rapid succession in September 2016, more and more threat actors are going to be leveraging these devices in their attacks. With a few steps, you can make sure that any IoT devices you own or that are in your organization do not participate in these attacks, and additionally, do not introduce any new security vulnerabilities into your environment.