Internet of Things or Internet of Threats?

Prashant Verma
By Prashant Verma

October 6, 2016

Deconstruction of a IoT hack that was used to build a large DDoS army

Internet of Things (IoT) devices, if hacked into can provide attack capabilities that can have a massive impact. The same has been demonstrated in a recent attack that compromised Cameras and DVRs, belonging to a specific manufacturer, Dahua Technology Co. Since IoT devices find their presence in home and enterprises and the devices are inexpensive, many IoT devices are easily available for reverse engineering.

Hackers start by decoding the firmware to discover embedded flaws and a weak configuration on the device or network or both to be able to remotely hack into the IoT devices. This however, is not a new concept. This has been applied before to hack into end devices like TVs, Set-top boxes, WiFi routers, Cable modems, etc.

What happened this time?

Reports suggest about 1 million security cameras, digital video recorders, and other compromised devices generated huge web traffic. The massive amount of data caused a Distributed Denial of Service attack against various targets on the internet.

Majority of the attack traffic came from devices manufactured by Dahua Technology Co.

Security researchers who have studied the source code published by the hacker agree that the malicious code is legitimate but it is not all that sophisticated. The malware named ‘Mirai’ is simply designed to scan the internet for connected devices with default and weak logins, and self propagate once it infects them. These infected devices were then used to launch a DDoS attack.

The architect of the malware clearly knows what he was doing, and based on the analysis of the malware code by experts, it seems to have originated from Eastern Europe.

The concern for security experts everywhere is the weak state of security in IoT devices. If such a simple malware can be used to stage such a massive attack, one can’t but wonder the impact sophisticated attacks can have. For now, since the malicious code is available to the public we should brace for more attacks.

How the systems are compromised?

The biggest challenge is to get the malware code into the remote IoT devices. While possibility of Physical intrusion also exists to get malformed code inserted, in this case since the compromised device count is in Millions, it has to be a remote attack in auto-propagate and auto-infect mode.

In the world of IoT, every component is connected to the internet, and end-devices have IP addresses. If a bad guy has uncovered a vulnerability in a specific firmware version of a specific device, then it is all about an auto-propagating code that looks for similar versions, and if found it auto-infects it.

Such hackers usually spend their most time in discovering embedded hacks; the flaws in the firmware and how to compromise and fully own the end-devices.

The potential impact

At the minimum, a modern SOC will need to complement a SIEM with a hunting platform, a triage and investigation platform, and an orchestration platform. It will no longer be sufficient to have only SIEM with people and processes around it. Can we replace SIEM? To me, the current SIEM is still the best tool for logs, but it cannot be extended to be the complete SOC management platform.

What you should do?

If a person or company owns these or similar IoT devices, there are certain security basics to take care of.

 

  1. Upgrade the device firmware to the latest version.
    a. Vendors patch the known/reported weaknesses in the current versions.
  2. Tighten entry to these devices.
    a. Set strong passwords; do not use the default ones.
    b. Restrict the configuration console to a few IP addresses only.
  3. Tighten your network access paths.
    a. Define network routes and reachability use cases for the devices. Not all devices need to be exposed to public or un-trusted networks.

 

If a person or company owns these or similar IoT devices, there are certain security basics to take care of.

Conclusion

The volume of internet traffic and the impact the attack has had is unprecedented. But the approach or attacks used are not new and have been seen before.

IoT adoption is increasing very rapidly. The community needs to evolve security around IoT devices in the same pace. There needs to be supporting security solutions designed to protect IoT devices, and awareness created so consumers understand the importance of adopting these security solutions.


Tags: blog