If you’ve been on the wrong end of what passes for a modern-day DDoS attack, you’re well familiar with the firepower of the almighty DVR. That’s right, the innocuous set-top box responsible for the posterity of your Game of Thrones seasons 1-6 is behind some of the biggest swarming attacks against networks worldwide.
And DVRs are not alone; they’ve been joined by IP-enabled cameras, cable boxes, surveillance cameras, home routers, and anything else running a small, embedded computer connected to the Internet. This is the new normal with regard to DDoS attacks. Attackers have figured out how to corral the lightweight processing power of these devices and make them a collective force to be reckoned with.
And experts suggest you buckle in for a long bumpy ride because the IoT botnet isn’t going anywhere any time soon.
“Many of these embedded devices are being shipped insecure by default and in many cases in-securable,” said Roland Dobbins, a principal engineer at Arbor Networks. “They don’t get software updates, or even if they do, many people don’t update them.”
Security journalist Brian Krebs’ Krebs on Security website may have recently suffered what is thought to be the loudest of all DDoS attacks, peaking at more than 620 Gbps of sustained traffic aimed at his site. But he’s obviously not alone. Neustar, a prominent network service provider, said the number of companies putting IoT devices online is staggering and they’re much more likely to have those devices targeted and compromised. In the meantime, the company’s latest DDoS report says that 27 percent of companies that shared data with Neustar suffered DDoS attacks of 10 Gbps or higher with 68 individual attacks of 50 Gbps or more and 18 of 100 Gbps or more reported.
Worse, the attackers’ motivations aren’t always to impact availability of services, but to distract the IT team into putting out one fire over there while the real crime is happening over here. Hampering response to other attacks seems to be a solid tactic for criminals; Neustar said that customers reported finding malware, lost customer data or intellectual property and financial theft in the aftermath of a DDoS attack.
IoT Devices Lack Protection
The consensus is that IoT devices are sitting ducks, and it’s an inevitability that they will be used as bots. Most are a Shodan search away and very few have the form factor and engineering to support additional security such as encryption, and/or lack an update mechanism to automatically pull and install patches. And to compound the issue is that devices are shipped with tepid passwords, default or weak credentials that are easily sniffed out by automated scripts.
“We’re seeing from our customers is that 70 percent of devices are unseen and unmanaged by IT,” said Pedro Abreu, chief strategy officer at ForeScout. “A lot of these are simple attacks against IP-facing IoT devices where an attacker is looking for basic passwords or vulnerabilities and companies are not aware their devices have been used in an attack.”
The SANS Institute, meanwhile, published the results of a quick experiment researcher Johannes Ullrich conducted to see what would happen once a DVR is connected to the Internet via a cable modem. Ullrich said he captured all the ingress and egress packets to ensure his DVR wasn’t being used to attack other computers.
“The sad part is, that I didn’t have to wait long. The IP address is hit by telnet attempts pretty much every minute. Instead of having to wait for a long time to see an attack, my problem was that the DVR was often overwhelmed by the attacks, and the telnet server stopped responding. I had to reboot it every few minutes,” Ullrich said. “Not all attacks were successful. The attacks used various passwords, and my honeypot only allowed logins for one of them. But a couple times an hour, someone used the correct password.”
Mirai Makes It Worse
The attack against Krebs on Security put a very public face on the issue of IoT botnets. The release of the source code for the Mirai malware that triggered the attack made it even more ominous, especially when you pair it with Bashlite, which reportedly has compromised three times the number of devices Mirai has. Mirai becomes especially dangerous, not only because of its public availability, but because of its constant scanning for connected IoT devices, testing default and weak credentials (experts found nearly 70 combinations built into the public source code).
“The potential attack surface and attack resources available to hackers is nearly infinite,” Arbor’s Dobbins said. “So many new devices are coming online every day. There needs to be industry standards and audits. If organizations like ISPs are purchasing a lot of home CPE routers for customers, they need to request details of the security posture of devices from vendors and test those assertions to assure they are secured and do have an upgrade path.”
At a minimum, devices cannot ship with default credentials and access to web-based admin interfaces needs to be secure and limited.
“These types of attacks have already superseded [traditional DDos attacks],” Dobbins said. “IoT botnets are not an upcoming threat. I’m not concerned about the future; I’m concerned about the past. If I could wave a magic wand, I would make it so there are no unsecured embedded devices out there. We still have a huge problem; we still have tens of millions of these devices out there.”