Rise of the Machines: How IoT broke the Internet, and the day after tomorrow

If you are reading this, you are back on Twitter, listening to your favorite music on Spotify, watching netflix and you can finally breath!

Yes, the massive DDoS attack targetting Dyn DNS service provider almost broke the Internet and we are still in the aftermath.

Although the forensics analysis are still ongoing, we do know that this attack integrated at least one Botnet of IoT Devices.

This attack follows two large scale DDoS attack launched in September that used the same methodology: infecting an ‘army’ of IoT devices to knock down victims services.

For security experts, this is no surprise, as we almost sounded like Cassandras, warning for years about the lack of security in IoT devices. Just to give a few examples: Fridges have been hacked to launch spam campaigns, connected cars PoC hack and sabotage of brakes, medical insulin pumps vulnerable to hacking, connected toys easily hackable etc..

How did all this happen?

Well, It all started with the Mirai malware, a malware that targets connected objects by exploiting inherent vulnerabilities especially the fact that these systems are usually protected by factory default passwords or even hard-coded username/passwords. Once infected with malware, these devices become part of the “botnet army" reporting to a central control server. Rise of the machines indeed!

This malware uses busybox specific command, which causes infection to fail if busybox is not present. This is why the malware is specifically recruiting IoT Devices for its botnets. An illustration of how vulnerable IoT devices can be: you can pull 300k bots using telnet (yes telnet :-))

For now the botnet of Iot Devices are used to launch DDoS attacks to knock down websites. As the story is still developing, we can expect that other botnets might be used for targeted data theft.

Experts noted that Mirai infected CCTV cameras, DVRs, smart tv, cellular gateways etc. Over 1 million devices are infected & have been turned into “bots”

Current info (changing regularly): most infected devices are in the US, followed by Brazil & Colombia.

To further complicate things, Mirai malware code was made public on Hackforums early October, and has been seen on Github as well lately. By going open source, anyone can now make a scanner and create his army of IoT Devices by infecting vulnerable IoT devices. The source code of Mirai has been copied over 1000 times until now.

There is also another similar malware (Bashlight/Bashlite ) targeting similar IoT vulnerable devices (they already have an army of IoT devices) but not involved yet in massive attacks like what we saw the past month.

Was this preventable? Definitely but  the Internet of Things revolution did not build on the lessons learned for the IT past experience. Security best practices were not integrated in IoT innovations, mainly because in the race for innovation and shrinking time to market, security was - incorrectly- view as a road blocker.

The end result is many connected objects with factory default username/password, no encryption, no authentication for 2-way communication, using insecure port 23 etc..

Securing such connected devices in the aftermath, is much more complicated and costly. Take the example of the Connected car PoC hack, companies didn’t know how to patch because no solutions were defined by design to patch remotely and millions of cars were recalled, with patching organized via dispatched USB keys.

Although this type of IoT botnets is no surprise, the repercussions as big

• Key websites and internet services were down for a number of hours
• This could and will slow down the internet (as million of IoT devices will generate a lot of traffic and take over the bandwidth)
• Current infect IoT devices = 1 266 702 (figures increasing drastically!)
• With new, large & bigger botnets, DDoS attacks are increasing exponentially in size. A year ago, we considered 300 Gbps as a large DDoS attack, end of 2015 600 Gbps, and now September 2016 1Tbps! 
• The malware code behind these attacks, has been made public by its creator. Anyone can create its own army of Botnets and use it for its own cybercriminal agenda
• In 2016 5.5 million new “Things” are getting  connected each day according to Gartner. 6.4 billion connected things are expected by end of 2016, reaching 20.8 billions by 2020. If all these devices are insecure by design, we can expect more sophisticated attacks targeting them, with more drastic impacts

Key attacks recorded with IoT DDoS botnets in the past 2 months

Yesterday’s Dyn Attack was the result of Mirai Malware infected Botnets. Not the first attack using Mirai infected devices. It started in September by targeting the website of Krebs (well know security guru) then OVH a French webhosting co..

• Krebsonsecurity website (a security guru website): attack on 20th of September, Peak reached 665 Gpbs, based
• OVH attack: OVH is a French web hosting services provider. Attack launched week of 19th of September. Peak reached 1Tbps based on 145000 IoT Devices. Mainly CCTV, home routers, raspberry pi, dvr ...;
• Dyn DNS (DNS services provided to websites like Amazon, Spotify, Twitter, Reddit etc.) suffered the same type of attack on the 21st of October as reported by Flashpoint. Dyn confirmed the information and stated that over 10 million IP were used to flood Dyn’s networks & traffic.

Some might ask, why are hackers using IoT botnets, and not the usual PC botnets? well you have seen the figure above, we have the potential of much larger networks, mainly insecure, easy to infect and usually always on. You turn your pc off, but a CCTV, router, fridge.. these remain on. Which makes the botnet all available for action

What can we do about it? are we doomed?

Mirai means Future in Japanese.. a good presage of what the future will hold for us?

Cyberattacks are here to stay, we know that sophisticated stealth attacks will increase and be an undeniable concern for all enterprises. However, some attacks, such as this one, could have been prevented, or at least their impacts lessened, if the all stakeholders adopted more security best practices.

What can consumers do?

• It is possible to clean an IoT device by rebooting the system(remember IoT devices have volatile RAM-like memory), but the vulnerable devices will be re-infected within minutes because these botnet scans are running all the time.
• Upgrade when possible
• Set strong password (do not keep factory password)
• When not possible disconnect from the internet & contact vendor/manufacturer

What should manufacturers of IoT devices do?

• Security should not be an option but the standard way of working. Security experts if involved in the concept & design phase, will improve security, and set appropriate control mechanisms to facilitate regular security updates & improvement. Nowadays we cannot have hard-coded passwords or no encrypted communication. This is security 101.
• We have seen lately connected insulin pump with identified vulnerabilities, where the manufacturer decided not to issue any patches.

What can  ISP do ?

• Need to set up protection against spoofing, as this is exactly what botnets do when they spoof users and issue large volumes of commands to flood the traffic

What can DNS service providers do?

• Improve security & protection of the services, with distributed infrastructures & smartcaching to allow local DNS Resolution, rate-limiting requests, overprovisioning machine resources etc..

Watch out! what you see is not only what you get. Some DDoS attack methods, such as smokescreening, are used to flood your business with the DDoS, while in parallel try to steal sensitive data. Monitor, investigate & detect such pervasive & stealth attacks

We all need to collaborate together to secure every step of the way. As cybersecurity experts, we know how hard it is to secure, protect & defend a business. We prepare for the “unknown” because we know that all cyberattacks are not preventable.