Spiria logo.

IoT, a Real Threat to the Internet

September 30, 2016.

We already had security-based concerns about the rampant ubiquity of new gadgets enthusiastically developed by connected object developers with the best of intentions and scant awareness of software vulnerability issues. Recent events have unfortunately proven us right.

Up until now, hackers of connected objects have tended to expose hapless users’ private lives for the whole world to see. It turns out that innocent people actually connect unsecured cameras (without even a password!) using Real Time Streaming (port 554) protocol to share their video stream. Throw in Shodan, a search bot that prowls the Internet in search of just such unsecured 554 ports, and their fate is sealed. When Shodan finds a video stream with no password, a script captures images, and the rest of the world guiltily views shots of children’s rooms, houses, garages, backyards, daycares, classrooms, offices, stores, and even grow-ops. It is thought that stealth webcams connected to the Internet number in the millions, making at least as many users dangerously unaware of the threat to their privacy and even safety.

But that’s not the worst thing: a new, even more sinister threat is now abroad. Some doomsayers had foretold this kind of attack, but until now, there was no evidence to support its feasibility. Over the last couple of weeks, two unrelated yet simultaneous incidents have shown that connected objects are now embedded in botnets of the most aggressive kind.

OVH attacked by webcams

IoT CCTV Botnet vs OVH.

OVH, one of the world’s largest Web hosts, was the victim of a massive distributed denial-of-service (DDoS) attack. A week ago, a botnet made up of 145,607 cameras targeted OVH’s network. Since each camera can generate a data stream of 1 to 30 megabits per second, the entire botnet can fire at a rate of over 1.5 terabits per second (1012 bit/s). On September 20, OVH experienced an attack of 990 gigabits per second, a world record at the time. One week later, on Monday, OVH noted that 6,857 new cameras had been added to the botnet. Happily, the Web host giant’s infrastructure withstood the attack.

For the record, the infamous DDoS attack launched in 2000 by Montrealer Michael Calce, alias Mafiaboy, which crippled Yahoo’s servers, amounted to less than 1 gigabit per second. The 2013 attack against Spamhaus, historic at the time, was just 300 gigabits per second.

KrebsOnSecurity Silenced by IoT

Brian Krebs.

Brian Krebs is a respected cybercrime journalist. His blog, KrebsOnSecurity, is read the world over by IT security buffs. On September 20, and over the next few days, Krebs’ Web site was the target of a sustained DDoS attack, peaking at 620 gigabits per second. The digital attack was probably an act of reprisal for Krebs’ publication of several articles on vDOS, a DDoS service set up by two Israeli youths. Despite the violence of the attack, Krebs’ blog remained accessible thanks to the generosity of Akamai Technologies, which had been providing Krebs with free DDoS protection for years.

After several hours of a stalwart defence, Akamai had to inform Krebs that, due to mounting costs, it would be forced to end its protection of KrebsOnSecurity.com within two hours. Faced with the choice of unplugging his server or seeing the attack, which was being absorbed by Akamai, redirected to his own server, Krebs pulled the plug and requested a redirect to 127.0.0.1. Denial of Service proved to be an effective censuring tool: KrebsOnSecurity dropped off the Web.

As was the case for the OVH attack, the Internet of Things was quickly singled out. Indeed, some of the attack agents were actually connected objects. In August, Sucuri detected a joint attack of 47,071 IP addresses whose agents were connected cameras (IoT CCTV Botnet), domestic routers (IoT Home Routers Botnet, mostly, but not exclusively, Huawei routers…) and compromised Web servers (possibly a WordPress Botnet). The attack against KrebsOnSecurity was nearly identical: webcams, routers and digital video recorders (DVR). 2016 will go down in history as the year of unprecedented joint attacks launched by multiplatform botnets rooted partly or entirely in the Internet of Things and controlled by a single operator.

Symantec has already catalogued a score of malware families targeting Linux’s IoT systems and cross-compiled for a variety of architectures: x86, ARM, MIPS, MIPSEL, PowerPC, SuperH, SPARC, etc. Linux itself has said that it doesn’t take much skill to manipulate connected objects, due to flawed design. Their design is so poor, in fact, that they are wide open to the clumsiest large-scale attacks. Two-bit hackers (and soon “script kiddies”) can easily overwhelm powerful servers and quash freedom of expression. The democratization of censure is coming.

In the end, KrebsOnSecurity came back on-line on September 25 thanks to the support of one of the few companies with the financial and technical wherewithal to fend off such wholesale attacks: Google (Project Shield). But unless you’re Brian Krebs, don’t count on free protection from a large company in case of attack… The rest of us – authors, journalists, bloggers, etc., fork over up to $200,000 per year to Akamai and others to protect our blogs.

Internet of Junk

Internet of Broken Things.

The Internet of Things has morphed into the Internet of Junk (IoJ), a giant mass of objects riddled with security flaws that are never monitored or updated and are ripe for recruitment by crime networks. And the more objects are connected, the greater the potential scale of the attacks, to the point where the entire Internet could be taken down.

In the not-too-distant future, your fridge will do cryptocurrency mining, your toaster will send spam, your vacuum cleaner will spread viruses and your television will launch Denial-of-Service attacks. You’ll notice Netflix and YouTube running slowly, but you’ll blame it on your Internet service provider.

Last year, in an attempt to address the issue, the industry created the IoT Security Foundation, dedicated to the sharing of knowledge and best practices. This development, though welcome, may not be sufficient. Currently, anyone can sell unsecured or flawed connected objects — as we have seen —, and consumer protection is weak or non-existent in most countries. Brian Krebs concluded, “I don’t know what it will take to wake the larger Internet community out of its slumber to address this growing threat to free speech and ecommerce. My guess is it will take an attack that endangers human lives, shuts down critical national infrastructure systems, or disrupts national elections.”