Using Distributed Denial of Service (DDoS) attacks to a slow or actually halt the operations of enterprises whose livelihood depends on providing network availability and user access to customers or subscribers is a great way for cyber-criminals or saboteurs to exert leverage for financial gain, create a cover for other nefarious activities, or simply promote confusion.
Though traditional ways of assembling the botnets necessary for assaults (compromising systems with malware by various ruses, etc.) remain open to the perpetrators, recent events have proved that there’s a new and even more effective method: Exploiting the inherent weaknesses of the burgeoning technologies that populate the growing Internet of Things, or IoT.
DDoS Attacks – A Profitable Investment
The ransomware epidemic that’s currently gathering speed is proof enough that businesses and individuals faced with the reality of a lock-out from their critical systems are willing to pay considerable sums to their extortionists, to get things back on track. DDoS orchestrators are learning and profiting from this attitude.
With losses to an enterprise capable of reaching levels in excess of $40,000 per hour under a DDoS assault, the option to pay as much or even more than this to restore network operations makes a certain kind of fiscal sense. And with “botnet for hire” services readily available to perpetrators for as little as $5 an hour on the black market, it’s good business for the cyber-criminals, too.
It’s a growing economy, and the so-called “booter services” that sell DDoS attacks to order now have enhanced hardware at their disposal.
Built For Botnets
Devices and monitors on the IoT may be “smart”, but the very fact that they’re often tiny and/or embedded in objects that operate without human supervision means that their construction and configuration are often not as complex as they should be, to ensure security.
Operating systems and firmware may be open-source, of generic manufacture, and easily compromised. Device passwords may be hard-coded – and the same default password may be shared across a range of hardware from the same supplier, and used in a diversity of applications. Authentication mechanisms are generally weak.
Gaining physical access to the chipsets used in a device is a comparatively simple affair, and data often flows unencrypted between a sensor and the servers of its control system. Remote administration typically occurs over channels that are readily susceptible to malware.
So compromising and gaining control of any number of Net-connected devices can be a relatively straightforward matter for an attacker – and with potentially vast arrays of bots made available in this way, the bandwidths available for a network assault can reach staggering proportions.
A Worrying Trend
The assault has already begun. Early last year, the Lizard Squad DDoS group published the source code for the LizardStresser botnet, which co-opted IoT devices to stage massive attacks targeting three large gaming companies in the US, and telecommunications networks, banks, and government agencies in Brazil. LizardStresser does away with the need for DDoS amplification techniques, and with the kit now available publicly, 2016 has seen an increase in IoT-related LizardStresser activities.
In September, French hosting company OVH became the target of a DDoS attack which used IoT devices as the attack vector. The assault occurred in two simultaneous waves and achieved a combined bandwidth of almost 1 terabit (1Tb) per second. One of the attack waves – the largest ever recorded – peaked at 799Gbps. The attack targeted Minecraft servers hosted on the OVH network, and reportedly originated from a botnet of 145,607 hacked IP cameras and digital video recorders.
It’s estimated that this botnet could launch DDoS assaults exceeding 1.5Tbps, by generating traffic of between 1Mbps and 30Mbps from each separate IP address – so we may not have seen the worst of the damage that’s possible.
Just last week (Friday, October 21st 2016), a services firm (Dyn) which manages a sizable portion of essential internet architecture became the target of a two-phase DDoS attack targeting its Managed DNS infrastructure in the US-East region. It’s believed that the attack was perpetrated using a botnet composed of web cams, digital video recorders (DVRs) and smart fridges which may have been compromised by the Mirai botnet kit – the source code of which was released publicly by its author “Anna Senpai” in September of this year.
It’s yet to be confirmed whether the attack was a direct assault on the company itself (perhaps as a political statement, publicity stunt or extortion attempt), or an effort to carry through its effects to some of their high-profile clients (which include the likes of Twitter, Github, and Spotify). Whatever the case, with botnet kits like Mirai now freely available, it’s unlikely we’ve seen the last of this kind of incident.
A 4-Stage Process
Distributed Denial of Service attacks using IoT devices typically occur in four stages:
- Capture: Vulnerable IoT devices are identified and hijacked.
- Subversion: Devices are reprogrammed or reconfigured to perform malicious acts.
- Activation: The subversive programming is triggered, and synchronized across the botnet as required.
- Attack: Targeted networks are subjected to assault.
It’s from the anatomy of these assaults that security strategies for prevention may be drawn.
Encryption For Chip-level Security
The standard JTAG interface used for debugging and testing inter-connected chips and printed circuit boards (PCBs) on IoT devices is also used as a diagnostic tool by hackers, in pre-determining a chip’s response to various commands. So it’s essential that this interface be encrypted, to deny them access.
Securing Operating Systems And Utilities
Resources on IoT devices are limited, so their operating systems tend to be simplified to allow for this. Already compromised or vulnerable open-source code and utilities may be used – usually without the knowledge of the device vendor and its ultimate user.
Security-enhanced operating systems and development tools should be incorporated into the device manufacturing process. This will also aid in the streamlining and standardization of security updates.
Hardening Authentication And Password Controls
Hard-coded passwords are typically included on IoT devices – a practice that makes for quicker manufacture and easier installation. But users often neglect to change these default passwords, which are easily deduced by hackers.
Authentication protocols for IoT devices need to be strengthened, and user advisories issued to require the setting of new default passwords that follow strong password best practices. The more robust public key encryption and authentication should also be an option.
Securing Remote Administration
The Secure Shell (SSH) utility is routinely used to remotely configure and manage IoT devices – often in conjunction with the Telnet application layer protocol for network file and data transfers. Both are soft targets for hackers using tools like PuTTY to introduce malware into IoT device systems.
To guard against infiltration, security administrators should monitor IoT devices for incoming probes, and connect them to a router that inspects SSH commands before they can gain access to a device.
Securing Remote Updates
The lack of a user interface to many IoT devices, physical inaccessibility, and a lack of understanding by users combine to make the issuing of security patches and updates a haphazard affair. Therefore, it’s important for manufacturers to ensure that devices are security hardened when they ship, and that they’re configured to receive security updates exclusively from secure control servers whose IP addresses can be securely authenticated.
Protecting Control Servers
The IP addresses of IoT device control servers should be locked, with strong restrictions governing how those IP addresses may be changed. Firmware updates for IoT devices should be encrypted, as well as being authenticated against a certified control server.
Using Threat Intelligence
Finally, with IoT devices and their associated technologies still in a state of evolution, it’s important to keep abreast of current developments in the industry and its associated threat landscape.
Umbrella bodies like OWASP and the IoT Security Foundation are a good starting point for news, best practices and threat intelligence, while reputable security firms and third-party consultants may contribute to the knowledge base and due diligence.
Share this Post