The Internet of Things is as vulnerable as it is diverse, writes Mike Gillespie.
Going back to 2014 and indeed beyond, security researchers and experienced practitioners such as Advent IM were warning of the danger posed by our increasing use of web-enabled devices and the vulnerabilities they present. Up to date and the Internet of Things (IoT), or the Internet of Everything, is a reality and web-enabled devices are an established part of most people’s day, one way or another. Some of course, have embraced the idea more than others and while not everyone feels the need for an internet-connected fridge, the public is probably more connected to their devices than ever before and it shows no sign of abating.
But as we have seen from the recent Mirai attack that bought down several well used platforms and websites, such as, Twitter, Reddit and PayPal, our connected devices might also be pocket zombies, waiting to be called into action at a moment’s notice and with devastating effect. Looking at the Distributed Denial of Service (DDoS) attack on Twitter, Reddit et al; its massive success was due to the vast army of devices it had at its disposal. A DDoS works by bombarding a server or website with artificial requests until it basically falls over. The more connected devices you have in your army, the greater the impact. We will come on to how that works in a moment. But first we need to understand that there are tools available to facilitate this kind of attack and the DDoS is a favourite modus operandi of criminals and hacktivists, for different reasons, of course. But the tools are available to anyone and so the intent of any user may be clear, even if their motive may be more elusive.
For instance, a criminal may be using a DDoS to distract and divert attention away from a more serious activity elsewhere on a network, data theft for instance. A hacktivist may be trying to render a website unusable for a target they consider to be an enemy of their ideals or ethics; in other words they want disruption. A DDoS is certainly a disruption and a highly effective one, as anyone who was trying to use PayPal or Twitter during the DDoS recently, will attest.
So in a world where people have web-enabled fridges and lightbulbs, the opportunity to use this ever-increasing array or items that is the IoT is a very attractive thing for would be DDoS-ers. The IoT has increased the attack surface of the world exponentially; we have come from a time when a household had a computer, which offered one device to sinister botnet army, to a time where we wear, carry and use the internet all the time on an array of devices. The basic security on these items will vary hugely, but many people using them may not even be securing them properly at all. Default passwords and log-ins unchanged, poor quality passwords, dictionary word passwords – all very easily cracked. So called brute force attacks against millions of devices and they can be accessed and used.
In the case of the Mirai attack, and it should be remembered that this is still ongoing and the malware just as dangerous, having splintered and evolved now, the ‘patient zero’ or originally infected device, was a digital recorder from a CCTV system. Infected with malware that opened the device up to more sophisticated and ultimately more damaging use. A bit like ammunition that has a small entry wound and opens up on impact. If the DVR had been secured with a quality credential and password, the brute force attack that cracked its password (which let’s face it, could have been ‘password’) may well have failed – although it would just move on to the next and the next. So with millions of devices all able to individually bombard web servers with huge amounts of artificial requests, they naturally fell over and when re-booted, the attack simply started again.
Mirai is interesting from a research perspective because it was not designed to simply do one thing. It was designed to add features as time goes by. As described above, the entry point is relatively small but the possibilities of proliferation of components is much greater; allowing the hackers to add more functionality and then distribute a new version – patching, basically. Its success is rooted not only in this future-proofing approach but also in its ability to exploit the vulnerabilities in the IoT with all its poor security and unchanged default credentials.
The patient zero in this case, also shows how insecure our security systems can be. We have spoken before about the need to get security disciplines talking together about how to secure organisational assets from a strategic perspective and this highlights ever more urgently, that need. Corporate networks enjoy the attention of IT security, patching, updating and maintaining regimes to protect them. But FM and security systems rarely enjoy the same attention, which is why you may well find DVRs for CCTV systems that are using default password settings long after install and are not within the remit of IT security to patch, secure and maintain. But DVRs are only part of the problem as the IoT is on wrists, in kitchens, in boardrooms and pockets all over the world. It is ordering milk, changing temperatures, controlling lighting, streaming content and a myriad of other things. All of these items have the potential to knock down a server and when harnessed into a zombie army, they can take down some of the biggest and most widely used platforms on the net.
Mirai hasn’t gone away and we are so far not sure about the additional functionality it has installed and it is unlikely that all infected devices have been identified and cleansed. The world needs to be aware that this will be with us for a long time; at least as long as we have the IoT and that will not be going away any time soon.
