IoT devices, such as smart meters, smart watches and building automation systems, are prolific. You may think that compromised IoT devices pose a danger only to the devices’ owners — for example, it’s easy to understand the privacy violation of an attacker viewing a web camera feed without the owner’s permission.

But compromised IoT devices can also pose a danger to others. A few years ago at a security conference, a researcher clearly demonstrated this by conducting a worm attack on a smart meter. In real life, the consequences of this sort of attack could include power outages for thousands of consumers.

A worm is just one attack vector. The use of IoT devices as a distributed denial-of-service (DDoS) platform and the creation of highly effective and globally distributed botnets is another.

The Weaponization of IoT Devices: Botnet DDoS Attacks

Unfortunately, in many cases the attackers don’t even need to exploit a technical vulnerability to execute their schemes. Rather, they just need the default administrative username and password, with which many devices come preconfigured and many users do not change. One report indicated that 30 percent of IT professionals do not change their wireless router’s default password.

If so many IT professionals fail to do such a simple task, imagine what the percentage might be among average home users. They simply connect a device and perform the basic setup procedure, which may not enforce password changes or could come preconfigured to allow remote management from the internet.

Two recent reports showed how botnets, made up of web-accessible compromised cameras, have been used in DDoS attacks. Last year, Imperva noted that the most common IoT botnet activity that it observed is from compromised CCTV cameras. Months later, Sucuri reported a novel DDoS attack in which the botnet leveraged compromised CCTV devices. According to Sucuri, the botnet was able to generate some 50,000 HTTP requests per second coming from 25,513 unique IP addresses.

But that’s only the tip of a rather large iceberg.

From Bad to Worse

A group of cybercriminals who go by the name Lizard Squad are infamous for their DDoS attacks, mainly against gaming servers and services. They first gained notoriety by selling access to their DDoS platform, commonly referred to as stresser or booter services.

Arbor Networks reported on two LizardStresser botnets, which have been used to attack Brazilian targets, including banking, government and telecom organizations, as well as three U.S.-based gaming companies. Research revealed that the majority of the compromised IoT devices leveraged by the botnet were internet-accessible webcams.

What is somewhat unusual about these attacks is their magnitude, reaching at peak more than 400 GB of traffic — and that’s without using any UDP-based reflection traffic, which is typical in large DDoS attacks. This botnet appears be different from what was reported by Sucuri. Considering that the largest reported DDoS attack was in the region of 500 GB and likely included UDP reflection traffic, the capacity of these IoT-driven botnets is downright scary, in part because it is composed of only a small fraction of the IoT devices already connected to the internet.

The Blame Game

It’s easy to blame the owners of IoT devices for not changing default passwords or failing to update firmware, which may have remotely exploitable vulnerabilities. It’s equally easy to blame device vendors for failing to include an initial setup process that forces the end user to change default passwords — and possibly even usernames — upon initial setup.

Some might also try to blame the likes of Shodan for making it easy to locate and exploit vulnerable IoT devices. Of course, the attackers are to blame, but they will take the path of least resistance and attack easily compromised devices first.

How to Prevent Your IoT Device From Becoming Part of a Massive Botnet

Like other attack surfaces such as web servers and databases, IoT devices require hardening as soon as they’re installed to mitigate the threat of compromise. Endpoint security solutions can help lock down these devices before cybercriminals attack.

Home and enterprise users should:

  • Carefully read the device’s instructions or contact the manufacturer for support.
  • Change all default passwords and user IDs.
  • Opt for devices made by manufacturers with a track record of security awareness.
  • Disable the universal plug-and-play protocol on any routers.

Meanwhile, enterprise security teams should:

  • Isolate IoT devices on protected networks.
  • Perform security testing of IoT devices.
  • Create an asset inventory. This includes mapping the network to discover all paths of ingress and egress, which could allow you to find that the IoT network has its own internet gateway that is not enterprise-class and doesn’t conform to security policies or applicable laws, regulations and contracts.
  • Monitor network access to determine normal behavior and detect anomalies.
  • Apply access controls between IoT devices and IT resources using enterprise firewalls, intrusion prevention systems, and integration with identity and access management to the extent it is supported.
  • Collaborate with the Internet of Things Security Foundation (IoTSF) to help secure IoT technologies.

Read the complete X-Force Research report: The Weaponization of IoT

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today