The Internet of Zombie Things

While the Internet of Things (IoT) has brought connectivity and communication to multiple devices, could an insecure IoT device bring down your network?

December 19, 2016 by Andreas Krebs

Avid Internet of Things advocates must be feeling like the Trojans did when they realized what was inside the big wooden horse.

Enthusiasts of the Internet of Things, or IoT – where everyday appliances use network connectivity to improve and expand their functionality – could only gape in bewilderment last October 21, when hackers enlisted over 100,000 toasters, cameras and other Internet-enabled home devices for the largest DdoS attack of the year.

More and more devices are becoming internet connected.

Their tool was a nasty piece of malware called Mirai. It scans for vulnerable IoT gadgets that use out-of-the-box logins and passwords, infects them, and propagates – allowing malware operators to aggregate them into a sizeable botnet for use in DDoS attacks.

The target this time, the DNS services company DYN, saw its servers crash under the strain of traffic amounting to 1.2 terabits-per-second for most of the day. The attack took down major websites like Twitter, the Guardian, Reddit and Netflix – leaving users fuming and cybersecurity professionals scrambling for answers.

The October attack came on the heels of a September 2016 DDoS attack on security news site KrebsOnSecurity that racked up what was then a record 620 gigabit-per-second onslaught using the same technique.

The numbers are no accident: we're seeing IoT being leveraged in a ghastly perversion of Moore's Law. The increase in quantity and power of IoT gadgets – without a corresponding increase in protection – have allowed hackers to cheaply and quickly hijack them for nefarious purposes, such as massive botnets that can unleash DdoS attack traffic of over 1 terabit-per-second.

 

Most botnets of this scale are designed to hold servers hostage, keeping them offline until the management coughs up a large, juicy ransom. DYN and Krebs were not usual victims for this type of scheme – but the exponentially-increasing ferocity of their attacks signals a worrisome lowering of the barrier for entry for hackers.

“Today, there are massive, automated botnets available for rent ranging from $10s to $100s USD monthly and capable of generating up to multiple Gbps worth of attack traffic,” explains Dave Martin, Director of Product Marketing, NSFOCUS. “A single credit card number or PayPal account and the IP address (or addresses) of the victim are often all that is needed to launch massive attacks capable of disrupting critical online systems.”

Securing your own corner of the IoT is easily done, but it barely addresses the larger problem.

Yes, you can take simple precautions such as changing the admin and WiFi passwords on your IoT-enabled devices. You can also use tools like the Incapsula Mirai scanner to check your exposure to the malware behind the botnets. If you need a more robust, in-depth analysis, consider services such as All Covered Advanced Security.

But in the wider scheme of things, a comprehensive market-driven solution is out of reach, because neither the manufacturers of IoT-enabled gadgets nor the consumer snapping them up have any motivation to find one, says security expert Bruce Schneier.

A connected network of things.

“This is a market failure that can't get fixed on its own,” explains Schneier. “The market can't fix this because neither the buyer nor the seller cares…. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people.”

Until government steps in to regulate the IoT, says Schneier, nothing can be done to prevent more massive DDoS attacks.

“When we have market failures, government is the only solution,” suggests Schneier. “The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don't care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.”

Until regulation becomes a reality, it's entirely up to you to disable telnet and change default passwords on your IoT-enabled devices. It'll deny the next massive botnet the use of your stuff in the short term, but whether a critical mass of users will do the same thing (enough to stop the next DYN or Krebs attack in its tracks) is anybody's guess.