Today’s Predictions for Tomorrow’s Internet: Using IoT Devices to Launch Attacks from Within
By Steinthor Bjarnason
The number of IP-enabled IoT devices has increased dramatically in the last several years and according to IHS, it is predicted to reach the staggering number of 30.7 billion devices by 2020. Almost every device manufactured today, including home appliances, street lights, parking meters, toys and even automobiles include some sort of IoT functionally which allows them to be monitored and/or managed via the internet.
Unfortunately, due to the limited storage and functionality on these small devices and the ever-increasing drive to keep costs down, these devices are usually insecure and are easy targets for attackers which actively scan for these devices and then subsequently subsume them into their Botnets. Internet connected IoT devices like webcams and DVR’s are now the attacker’s choice for launching DDoS attacks and were used in high profile attacks against DYN, OVH and others in 2016/17.
Manufacturers have slowly begun to increase the security level of IoT devices which are directly connected to the internet (estimated to be about 5% of the total IoT population) but the remaining 95% are getting less focus as they are deployed behind corporate firewalls and are therefore assumed to be safe from the attackers. This assumption was however proven wrong in February 2017.
The Mirai Windows spreader
In February 2017, a new Windows Trojan containing IoT attack code was detected in the wild by ASERT and other malware researchers. What was different about this Windows Trojan is that in addition to infecting Windows computers, it also scanned for vulnerable IoT devices and then proceeded to infect them with the Mirai IoT botnet code.
This means that if a Windows computer infected by this Trojan, is connected to the networks inside the corporate firewalls, the Windows computer will start to scan for and infect all those vulnerable IoT device behind the barriers which were previously believed to be safe from attackers.
This allows the attackers to gain reachability to the previously untouchable 95% of the IoT devices and can now use those to launch outbound DDoS attacks or use the devices to launch devastating internally facing DDoS attacks against vulnerable internal resources including Data Centers and WAN/LAN network infrastructures. These resources are in almost all cases, NOT protected against DDoS attacks originating from the inside and are therefore very vulnerable against this kind of attack.
Botnet DDoS malware and traditional Ransomware malware also started to cross-pollinate in 2017 as the attackers realized that DDoS attacks against network infrastructures can be far more devastating than infecting end-user computers.
Taking these two trends together, it’s easy to see how attackers could launch multi-stage Ransom attacks against corporations using a combination of external DDoS attacks and internally launched DDoS attacks using IoT devices which are already inside the targets networks.
The drive toward connecting every device to the internet has clearly been very beneficial for today’s society. This has however happened without considering the security aspects and the attackers are now busily taking control of these devices, using them against their owners for monetary gain.
The Windows Mirai Spreader was a game changer, opening the door for infecting IoT devices inside corporations and using them to launch attacks against vulnerable resources inside the corporate perimeters.
However, a network which is designed and secured according to network security best practices using segmentation, monitoring, DDoS mitigation and stateless security devices will be able to detect and mitigate these attacks.
Unfortunately, trying to secure the network while under attack is almost impossible which means that preparation is key. Secure your networks before your IoT devices revolt against you!
(This article is based on an ASERT presentation which was delivered at DEFCON 2017, AUSNOG 2017 and NANOG 71. A YouTube video is available.)