How hackers are using DDoS to exploit IoT vulnerabilities
As IoT devices are predicted to reach 50 billion by 2020, Jason Farmer - Advanced Threat Security Engineer at Arbor Security - tells us how ‘IoT devices are purpose built machines with little or no thought given to their security.’
We’ve seen it in popular culture; Mr Robot warned us in an episode last year where a woman is terrorised by a hacker messing with her smart home technology. Silicon Valley’s latest series showed a winning moment when a hacked fridge infects thousands of other smart fridges to power their product.
Denial-of-service attack or DDoS is a way hackers can exploit the vulnerabilities of IoT devices by taking ‘complete control of the device’. But why IoT and not mobile phones? “as long as these devices are working as expected, they are left alone.” warns Jason “This means that once a threat actor has gained control of the device, interference or disruption to their control due to maintenance is rare. This combination means easy targets that will stay in their control for an extended, if not indefinite period of time.”
It’s a combined lack of awareness of IoT vulnerabilities and limited update and patch capabilities that make them such an easy target for hackers to employ them into their ‘botnet herds’. Jason informs us: “because of a perception that IoT devices do not pose a security threat, the surrounding controls protecting these devices is often less furthering their susceptibility to attack. A search of Shodan quickly reveals a number of IoT devices that are still using default administrative credentials and directly accessible from the Internet.”
Most people believe DDoS attacks are simply large swathes of packets designed to fry internet circuits. Today’s DDoS have evolved, become more sophisticated ‘campaigns’ combining multiple techniques to avoid detection and mitigation. “Modern application layer DDoS attacks, AKA stealthy or low-and-slow, will deny service by exhausting application resources with relatively low bandwidth utilization. Likewise, TCP state exhaustion attacks will overwhelm state tables of servers, firewalls, and load balancers. These newer techniques are harder to detect because the circuits stay up and continue passing other traffic during the attack.” Jason said.
Biggest DDoS attack
So far we’ve discussed the theoretical; however, On 20 September 2016 DDoS attacks against “Krebs on Security” and OVH, a French web hosting company defined the capabilities of IoT fuelled attacks. How did coders execute the largest attack ever seen on the internet with speeds of 620 Gbps and 1Tbps? 150,000 consumer devices such as IP cameras, home routers and even baby monitors were hijacked to launch the offensive attack that saw websites and hosting services grind to a halt.
Jason explained the tactics employed: “These attacks are commonly known by the malware name of Marai. The third attack that Mirai is responsible for is Dyn in October of 2016.Since Dyn is a large DNS provider this attack impacted a large portion of the internet because their services were not available during the attack.”
How do we deny their attack?
Sometimes the simplest solutions are the most effective; Jason points to the default username and password found on IoT devices. For example, my router at home has a username called ‘admin’ and password as ‘changeme’. Probably as a cost saving measure, manufacturers often fail to provide unique passwords to the gateway address where infected firmware is easily installed.
“Until IoT manufacturers start improving the security embedded into their devices traditional measures are the best recommendation at this time. These recommendations include segmenting the devices from the parts of the network they do not need access to and changing the default security settings.” advised Jason.
DDoS attacks that exploit IoT are on the rise, but how is the method evolving since its first mass deployment in 1999? Jason leaves us with a cautionary tale: “Recent trends in DDoS in include an ever-increasing frequency, intensity, and complexity of attacks. We can certainly expect that trend to continue. Cleary IoT has fuelled the intensity as billions of vulnerable devices enable larger attacks. Furthermore, attackers are taking advantage of vulnerable networks as management and monitoring resources become more abstracted. Additionally, we see more often that DDoS is part of an Advanced Threat campaign and is just another part of the tool set. DDoS will likely be used more often to probe network weakness and provide cover for infiltration/exfiltration. DDoS extortion is also on the rise.”
Jason Farmer - Advanced Threat Security Engineer at Arbor Networks - will be speaking on the panel DDoS via IoT in the Software-Defined Enterprise at this year’s SDxE in Texas.