We all remember gazing in wonder at the armies of elite empirical storm troopers as they collectively marched into battle to subdue the rebel forces in those early Star Wars movies. Many of us recall the machines spotlighted in the Terminator series which led the battle against the humans. Science fiction is good at conjuring up creative visions of the technical forces we may combat in the future, but even the most creative science fiction writer couldn’t have come up with the idea of an army of cameras attacking our Internet infrastructure; Yet, that is what happened.
On October 21st, 2016 a collected army of some 50,000 cameras were utilized in an effective attack aimed at Dyn, a major Internet infrastructure company headquartered in New Hampshire. The attack resulted in severed access for some of the largest and most prominent web-based organizations in the world such as Amazon, Twitter, Netflix and Spotify.
Two days later, Hangzhou Xiongmai Technology, a manufacturer and distributer of DVRs and internet-connected cameras admitted that vulnerabilities in their devices were partly to blame. These vulnerabilities included a well-known default username and password and the fact that the cameras were configured with telnet enabled. Although a firmware update last year reversed the remote access exposure, those cameras that weren’t updated were still vulnerable. The devices were infected with a malware called Mirai which specifically targets IoT devices for DDOS purposes. About 50,000 of them first initiated the attack and it is estimated that there are 500,000 IoT devices infected with this strain of malware throughout the globe. Although the army of IoT devices was the source of the initial attack, by days’ end, tens of millions of bots were involved in the culmination of attacks throughout the day.
Utilizing Internet-connected cameras for attacks is nothing new. Octave Klaba, founder of the French cloud computing company OVH, said that one of the publicized attacks against their network was comprised of 145,607 cameras and DVRs. All of their servers were assaulted by HTTP requests which culminated in 100 GBps of traffic directed at some of their servers, culminating in a total load of 1 TBps.
IoT vulnerability isn’t just limited to cameras however. Even toys can be exploited and manipulated for nefarious purposes. Last year a Hong Kong toy manufacturer reported a breach in which the information of nearly 5 million adults and 200,000 children was stolen and compromised. A report compiled last month by Akamai Technologies outlines the manner in which nearly two million IoT devices were compromised over the course of several months and are now being controlled by cyber criminals and are being used as proxies to route malicious traffic.
Even more troubling is the fact that once compromised, these IoT device collections are being sold on the dark web which encourages novice hackers to implement basic attacks. One particular seller claims to be able to generate 1 terabit per second of traffic in similar fashion to the attack on OVH. For $4,600, anyone can currently purchase 50,000 bots (which of course are hacked computers throughout the world that are controlled as mentioned earlier) while 100,000 will cost you a cool $7,500. Indeed, it is one-stop shopping today for those aspiring to implement DDOS attacks.
Because of the relative shortness of time that IoT devices have been around, vendors are playing catchup in order to secure them. This challenge is compounded by the proliferation of their use and the constant introduction of new products. Fortunately, there are some basic steps you can take to secure most IoT devices.
Just some highlights of what the attacker can get from a Facebook account:
- Change the default username and password for all of your IoT devices. Many devices don’t even come with a password by default. Default login credentials for just about any IoT device are common knowledge today.
- Update your firmware. While updates for operating systems today such as Windows 10 are force fed automatically, we still have to manually update the firmware for our collection of devices. The attack that took place involving the large contingent of cameras could have been prevented had the cameras been updated with the necessary firmware.
- Disable remote administrative support. IoT devices often utilize Universal Plug n Play (UPnP) which automatically opens virtual ports in the device and thus exposing it. Once IoT devices are initially setup they rarely have to be configured again. Unless absolutely necessary, disable UPnP or whatever remote control feature the device utilizes.
- Regularly power-cycle your devices. The malware used for IoT devices in cyberattacks resides in basic memory. Simple power-cycling the device on a regular basis will wipe out a current malware strain from the device.
- When applicable, instill outbound as well as inbound firewall rules for your IoT devices.
The fact is that your LAN is only as secure as its weakest link and cybercriminals have learned that IoT devices are soft targets for them. Hardening up these devices is as important as the rest of your endpoint devices.