IoT devices, such as smart meters, smart watches and building automation systems, are prolific. You may think that compromised IoT devices pose a danger only to the devices’ owners — for example, it’s easy to understand the privacy violation of an attacker viewing a web camera feed without the owner’s permission.
But compromised IoT devices can also pose a danger to others. A few years ago at a security conference, a researcher clearly demonstrated this by conducting a worm attack on a smart meter. In real life, the consequences of this sort of attack could include power outages for thousands of consumers.
A worm is just one attack vector. The use of IoT devices as a distributed denial-of-service (DDoS) platform and the creation of highly effective and globally distributed botnets is another.
The Weaponization of IoT Devices: Botnet DDoS Attacks
Unfortunately, in many cases the attackers don’t even need to exploit a technical vulnerability to execute their schemes. Rather, they just need the default administrative username and password, with which many devices come preconfigured and many users do not change. One report indicated that 30 percent of IT professionals do not change their wireless router’s default password.
If so many IT professionals fail to do such a simple task, imagine what the percentage might be among average home users. They simply connect a device and perform the basic setup procedure, which may not enforce password changes or could come preconfigured to allow remote management from the internet.
Two recent reports showed how botnets, made up of web-accessible compromised cameras, have been used in DDoS attacks. Last year, Imperva noted that the most common IoT botnet activity that it observed is from compromised CCTV cameras. Months later, Sucuri reported a novel DDoS attack in which the botnet leveraged compromised CCTV devices. According to Sucuri, the botnet was able to generate some 50,000 HTTP requests per second coming from 25,513 unique IP addresses.
But that’s only the tip of a rather large iceberg.
From Bad to Worse
A group of cybercriminals who go by the name Lizard Squad are infamous for their DDoS attacks, mainly against gaming servers and services. They first gained notoriety by selling access to their DDoS platform, commonly referred to as stresser or booter services.
Arbor Networks reported on two LizardStresser botnets, which have been used to attack Brazilian targets, including banking, government and telecom organizations, as well as three U.S.-based gaming companies. Research revealed that the majority of the compromised IoT devices leveraged by the botnet were internet-accessible webcams.
What is somewhat unusual about these attacks is their magnitude, reaching at peak more than 400 GB of traffic — and that’s without using any UDP-based reflection traffic, which is typical in large DDoS attacks. This botnet appears be different from what was reported by Sucuri. Considering that the largest reported DDoS attack was in the region of 500 GB and likely included UDP reflection traffic, the capacity of these IoT-driven botnets is downright scary, in part because it is composed of only a small fraction of the IoT devices already connected to the internet.
The Blame Game
It’s easy to blame the owners of IoT devices for not changing default passwords or failing to update firmware, which may have remotely exploitable vulnerabilities. It’s equally easy to blame device vendors for failing to include an initial setup process that forces the end user to change default passwords — and possibly even usernames — upon initial setup.
Some might also try to blame the likes of Shodan for making it easy to locate and exploit vulnerable IoT devices. Of course, the attackers are to blame, but they will take the path of least resistance and attack easily compromised devices first.
How to Prevent Your IoT Device From Becoming Part of a Massive Botnet
Like other attack surfaces such as web servers and databases, IoT devices require hardening as soon as they’re installed to mitigate the threat of compromise. Endpoint security solutions can help lock down these devices before cybercriminals attack.
Home and enterprise users should:
- Carefully read the device’s instructions or contact the manufacturer for support.
- Change all default passwords and user IDs.
- Opt for devices made by manufacturers with a track record of security awareness.
- Disable the universal plug-and-play protocol on any routers.
Meanwhile, enterprise security teams should:
- Isolate IoT devices on protected networks.
- Perform security testing of IoT devices.
- Create an asset inventory. This includes mapping the network to discover all paths of ingress and egress, which could allow you to find that the IoT network has its own internet gateway that is not enterprise-class and doesn’t conform to security policies or applicable laws, regulations and contracts.
- Monitor network access to determine normal behavior and detect anomalies.
- Apply access controls between IoT devices and IT resources using enterprise firewalls, intrusion prevention systems, and integration with identity and access management to the extent it is supported.
- Collaborate with the Internet of Things Security Foundation (IoTSF) to help secure IoT technologies.