There are times when perception will coalesce around something that has been previously known, but not taken seriously. That is what happened recently with the distributed denial-of-service (DDoS) weaponization of the Internet of Things (IoT). Although government agencies have issued warnings about the potential problem of vulnerable IoT devices, nobody has ever really done anything about it.

Then, the KrebsOnSecurity site got hit with the largest-volume DDoS attack that had ever been seen. The botnet that enabled the attack was composed of low-level devices attached to the internet, like closed-circuit television (CCTV) cameras. These connected devices were harnessed on a massive scale to facilitate nefarious actions. The internet turned in a flash from a cuddly puppy into an attack dog with razor-sharp teeth.

The devices making up the botnet were not limited to one geographical area. For example, 18 percent were located in Vietnam. It became instantly obvious that this was a transnational problem that one nation could not control alone. To make things worse, the source code for the bot herder program used in the attack, Mirai, was released publicly in late September. That was like giving a loaded gun, metaphorically speaking, to script kiddies with no impulse control.

On the bright side, that release also encouraged security researchers to finally focus on the real IoT problem underlying Mirai.

Breaking Vulnerable IoT Devices

The Mirai release showed how all those bots came to be in the first place. The source contained a list of default usernames and passwords for these devices. The attackers used these to log in to the devices in a brute-force manner.

Devices usually contained a system on a chip (SoC) that executed the actual protocol connection to the internet. Vulnerable devices also had active login passwords that had not been changed from the default settings. Since the chip was integrated into some other product, the user may not have been offered the option to change the login info — perhaps the manufacturer found these default credentials useful in testing the overall device. However, these default passwords gave the attackers the elevated privileges they needed to carry out their criminal campaigns.

More than just the administrator panel is vulnerable here. Direct services, like Secure Shell (SSH) and Telnet, have shipped with default passwords and no way for users to change the state of the connection. “The password is hardcoded into the firmware, and the tools necessary to disable it are not present,” security researcher Zach Wikholm of Flashpoint told KrebsOnSecurity. “Even worse, the web interface is not aware that these credentials even exist.”

So even if the web-based administrator passwords get changed, other services will remain open and vulnerable. One device manufacturer told KrebsOnSecurity that since September 2015, its devices did not ship with the Telnet port open by default, and users were prompted to change passwords. These claims have not been independently verified. But of course, any device made before that date would not be affected by these changes.

Some manufacturers on the password list may be surprising: It’s not just middle-layer makers involved in this — the potential is far greater than that. Owners of low-level devices may not even realize they’ve been infected, since a botnet is usually not active all the time.

The U.S. Computer Emergency Readiness Team (US-CERT) even issued an alert about the current situation. The notice references a prescient FBI warning about IoT devices from 2015. Much of the FBI’s warning remains applicable today. Of course, the FBI recommended changing the default passwords on IoT devices at that time. The vulnerability of these devices to this sort of misuse was blindingly obvious.

Exploiting UPnP

Not so obvious was the FBI’s recommendation to disable Universal Plug and Play (UPnP) on routers. UPnP is the process whereby a device remotely and automatically connects and communicates on a network. It requires no authentication. Because UPnP is self-configuring when it is attached to an IP address, it can be exploited.

The Simple Service Discovery Protocol (SSDP) is part of the UPnP protocol standard. It allows devices to discover each other on a network, establish communication and coordinate activities. Softpedia reported that Akamai issued an advisory warning that attackers had “been leveraging SSDP to launch attacks that amplify and reflect traffic to their targets.”

Akamai also recommended blocking wide area network (WAN)-based UPnP requests to client devices and forbidding UPnP access to the internet unless needed. There seems, at least, to be agreement among two separate sources on some concrete mediation strategies.

Is Your Device Infected?

A defensive measure is always good to have. But what if you want to know if you already have been infected by an IoT bot?

You can use YouGetSignal’s open port finder tool to scan an IP address for open ports and determine whether you have already been infected by an IoT bot. In particular, scan the services SSH (22), Telnet (23) and Hypertext Transfer Protocol (HTTP)/HTTPS (80/443). Mirai and its ilk use these services for communication with the command-and-control (C&C) servers. If the ports are open and you have no idea why, there may be a problem.

How does one rid an IoT device of this problem? This situation calls for a manual hardware reset. First, depower the device. Then wait 60 seconds and repower it. Since the malware is memory resident, the shutdown kills it.

Maybe we can survive Mirai and the like this time. But the IoT will serve as a platform for future attacks in other ways. Some experts are calling for governments to take economic action against these kinds of vulnerable IoT devices. The European Union (EU) is even considering placing warning stickers on noncompliant devices to shame the manufacturers.

After a mass DDoS attack took down many sites on Oct. 21, there were mutterings of an autoimmune response. Some were thinking about weaponizing the Mirai code to seek out these devices and turn them into silicon goo. It’s a brutal response, to be sure, but one that may gain traction if these attacks persist and devices are not updated.

Economic Implications

The problem is an economic one at heart. Economists label it an externality, where the effect of something is not limited to the two parties involved in a transaction. The device manufacturer wants to have the lowest price, something consumers desire as well. But a consumer doesn’t necessarily care if the device is used in a botnet, since the attack only affects an external party. There doesn’t seem to be an economic incentive to force manufacturers to adhere to a minimum security standard, even with governmental fingerpointing.

That has to change. All internet users should see the consequences of their decisions, even if they affect someone else. The entire internet community is — quite literally — connected. What goes around, comes around. Stakeholders must deal decisively with potentially toxic IoT devices or the problem will become overwhelming in the near future.

Climbing the Food Chain

Efforts like the MITRE Challenge IoT may end up finding an answer that works for everybody, but that doesn’t mean the problem is going away. For a long-term solution, authorities must implement an economic disincentive to discourage the use of security-blind devices.

Let’s think for a moment about specialized, IoT-resistant software. All network users would bear the cost of this potentially expensive software. Users forced to implement this software might be a vocal force, but they won’t sway those who simply want cheap devices. Those users put their own interests ahead of the community. You just can’t trust people to be altruistic — you have to go higher up the food chain to target the people profiting from these devices.

Somehow, authorities must apply effective economic pressure to device manufacturers to force them to stop selling this stuff. But it must be a coordinated effort among all regulatory bodies to ensure that the security-blind devices will not simply go out the back door instead of the front.

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…