The security of the so-called Internet of Things came into the spotlight in a big way in 2016. It wasn't just Mirai, the malware behind DDoS attacks that knocked users off sites like Twitter and Spotify in October. Attacks against internet-enabled DVRs and cameras took center stage and vulnerabilities in internet-connected mice, keyboards, and even light bulbs became realistic threats over the past 12 months. Here’s a recap of some of the bigger stories.
IoT’s Day of Reckoning on the Horizon
In many ways the seeds of IoT insecurity were sown long ago but Chris Rouland, noted IoT expert – and founder of firms Endgame and Bastille – portended the future of attacks the smart devices in a talk at Kaspersky Lab’s Security Analyst Summit in February. Rouland warned at the time that IoT's day of reckoning, an event like the Melissa worm, likely compounded by poorly secured protocols, was on the horizon. Bastille would warn two weeks later of a vulnerability, Mousejack, that put wireless keyboards and mice from Logitech, Dell, and Lenovo at risk.
The Rise of CCTV Powered DDoS Botnets
In June, details around two powerful DDoS attacks, both powered by botnets comprised of internet-enabled closed circuit TV devices, came to light. One, powered by LizardStresser, a DDoS botnet comprised of 1,300 webcams, was carrying out attacks against Brazilian banks, government agencies, and U.S.-based gaming companies. Another botnet - this one powered by 25,000 CCTV devices - managed to take down a small jewelry store website for days.
KeySniffer Eavesdrops on Unencrypted Keystrokes
A vulnerability similar to Mousejack, dubbed KeySniffer, surfaced in July. The vulnerability, which existed in eight wireless, non-bluetooth keyboards, could have let an eavesdropper sniff keystrokes from up to 250 feet away with fairly inexpensive radio equipment. The data was transmitted by the keyboard dongles constantly and none of it was encrypted.
Lighting Vulnerabilities Open Doors for Attackers
On the surface, vulnerabilities in internet-enabled smart bulbs may not seem like a critical concern. Vulnerabilities in Osram Lightify products, made public in July, however, could have let an attacker pivot into an enterprise's internal network. The bugs, which could have been exploited remotely, could have also allowed an attacker to glean the authentication handshake, carry out man-in-the-middle attacks, and persistent cross-site scripting vulnerabilities.
BASHLITE’s One Million Compromised IoT Devices
Near the end of the summer, stories around IoT threats began really commanding headlines. Researchers with Level 3 Threat Labs reported in late August that one million web-connected video cameras and DVRs were ensnared by a web of botnets. One of the biggest families, BASHLITE, was responsible for communicating with 120,000 bots, 100 command and control servers, some exceeding 100 DDoS attacks a day. “This research shocked us,” Dale Drew, chief security officer at Level 3 Communications said at the time.
DHS Drafting IoT Best Practices
In September, Washington took notice and said it was preparing to draft best practices around IoT. At the Internet of Things Forum, a one-day conference on the topic in Cambridge, Mass., the Department of Homeland Security's Assistant Secretary for Cyber Policy said it was developing a set of strategic principles for the Internet of Things. “We have a small and closing window of time to take decisive and effective action,” Silvers said, “the challenge of addressing IoT security is outweighed only by the greater challenge of patching, or building on the security of already deployed systems.
Mirai Source Code Leaked Online
The source code for the DDoS malware Mirai was leaked online in early October, something which laid the groundwork for attacks to come. The malware, which continously scans the internet looking for IoT devices like routers, IP-powered cameras, and DVRs surfaced on the Hackforums site. The malware, as it would turn out, was responsible for a massive DDoS attack against security journal Brian Krebs' website, weeks prior. The attack peaked at 620 Gbps.
OVH, Krebs Crippled by DDoS Attacks
An even bigger attack, around the same time as the attack on Krebs’ site, against French hosting firm OVH was charted at more than 1100 Gbps. Researchers at Flashpoint traced the attacks back to a DVR manufacturer, China's XionogMai Technologies. The firm said at the time that between 300,000 and 600,000 DVRs were compromised because the devices used a default username and password (root/xc3511).
In late November, malware believed to be a variant of Mirai, took down 900,000 routers manufactured by Germany's Deutsche Telekom. A vulnerability in approximately two million routers made it so attackers could access TCP NTP Port 7547 and execute remote code. The company was quick to push out a fix for impacted routers but as an added precaution, recommended power cycling devices to remove the malware.
Regulating IoT Security
In the weeks following the Dyn attack, security experts and think tanks alike called lawmakers to consider regulating the security of connected devices. The ICIT blamed clueless manufacturers in December. In November, while testifying to the House Committee on Energy and Commerce, noted security luminary Bruce Schneier said that regulation is the necessary next step, even if it means stifling innovation.