Light Dark
July 20, 2016 By Lyndon Sutherland 3 min read
Advanced Threats
Endpoint
X-Force

IoT devices, such as smart meters, smart watches and building automation systems, are prolific. You may think that compromised IoT devices pose a danger only to the devices’ owners — for example, it’s easy to understand the privacy violation of an attacker viewing a web camera feed without the owner’s permission.

But compromised IoT devices can also pose a danger to others. A few years ago at a security conference, a researcher clearly demonstrated this by conducting a worm attack on a smart meter. In real life, the consequences of this sort of attack could include power outages for thousands of consumers.

A worm is just one attack vector. The use of IoT devices as a distributed denial-of-service (DDoS) platform and the creation of highly effective and globally distributed botnets is another.

The Weaponization of IoT Devices: Botnet DDoS Attacks

Unfortunately, in many cases the attackers don’t even need to exploit a technical vulnerability to execute their schemes. Rather, they just need the default administrative username and password, with which many devices come preconfigured and many users do not change. One report indicated that 30 percent of IT professionals do not change their wireless router’s default password.

If so many IT professionals fail to do such a simple task, imagine what the percentage might be among average home users. They simply connect a device and perform the basic setup procedure, which may not enforce password changes or could come preconfigured to allow remote management from the internet.

Related: The Weaponization of IoT: Rise of the Thingbots

Two recent reports showed how botnets, made up of web-accessible compromised cameras, have been used in DDoS attacks. Last year, Imperva noted that the most common IoT botnet activity that it observed is from compromised CCTV cameras. Months later, Sucuri reported a novel DDoS attack in which the botnet leveraged compromised CCTV devices. According to Sucuri, the botnet was able to generate some 50,000 HTTP requests per second coming from 25,513 unique IP addresses.

But that’s only the tip of a rather large iceberg.

From Bad to Worse

A group of cybercriminals who go by the name Lizard Squad are infamous for their DDoS attacks, mainly against gaming servers and services. They first gained notoriety by selling access to their DDoS platform, commonly referred to as stresser or booter services.

Arbor Networks reported on two LizardStresser botnets, which have been used to attack Brazilian targets, including banking, government and telecom organizations, as well as three U.S.-based gaming companies. Research revealed that the majority of the compromised IoT devices leveraged by the botnet were internet-accessible webcams.

What is somewhat unusual about these attacks is their magnitude, reaching at peak more than 400 GB of traffic — and that’s without using any UDP-based reflection traffic, which is typical in large DDoS attacks. This botnet appears be different from what was reported by Sucuri. Considering that the largest reported DDoS attack was in the region of 500 GB and likely included UDP reflection traffic, the capacity of these IoT-driven botnets is downright scary, in part because it is composed of only a small fraction of the IoT devices already connected to the internet.

The Blame Game

It’s easy to blame the owners of IoT devices for not changing default passwords or failing to update firmware, which may have remotely exploitable vulnerabilities. It’s equally easy to blame device vendors for failing to include an initial setup process that forces the end user to change default passwords — and possibly even usernames — upon initial setup.

Some might also try to blame the likes of Shodan for making it easy to locate and exploit vulnerable IoT devices. Of course, the attackers are to blame, but they will take the path of least resistance and attack easily compromised devices first.

How to Prevent Your IoT Device From Becoming Part of a Massive Botnet

Like other attack surfaces such as web servers and databases, IoT devices require hardening as soon as they’re installed to mitigate the threat of compromise. Endpoint security solutions can help lock down these devices before cybercriminals attack.

Home and enterprise users should:

  • Carefully read the device’s instructions or contact the manufacturer for support.
  • Change all default passwords and user IDs.
  • Opt for devices made by manufacturers with a track record of security awareness.
  • Disable the universal plug-and-play protocol on any routers.

Meanwhile, enterprise security teams should:

  • Isolate IoT devices on protected networks.
  • Perform security testing of IoT devices.
  • Create an asset inventory. This includes mapping the network to discover all paths of ingress and egress, which could allow you to find that the IoT network has its own internet gateway that is not enterprise-class and doesn’t conform to security policies or applicable laws, regulations and contracts.
  • Monitor network access to determine normal behavior and detect anomalies.
  • Apply access controls between IoT devices and IT resources using enterprise firewalls, intrusion prevention systems, and integration with identity and access management to the extent it is supported.
  • Collaborate with the Internet of Things Security Foundation (IoTSF) to help secure IoT technologies.

Read the complete X-Force Research report: The Weaponization of IoT

 |  |  |  |  | 
Lyndon Sutherland
Senior Threat and Intelligence Analyst, IBM X-Force

More from Advanced Threats
May 24, 2024

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

May 16, 2024

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

May 2, 2024

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature