The Terminator movies series may have jumped the shark with multiple ill-conceived sequels after the nearly flawless second movie, Terminator 2: Judgment Day, but for a sci-fi concept it actually wasn’t so far-fetched or futuristic. There really is a robot army that being used to attack us, and it exists today.
No, there is no Skynet, a super-intelligent AI hivemind bent on the destruction of all mankind and its replacement with superior robots. But there is a veritable army of “bots” out there that crafty hackers are using to perpetrate DDoS attacks. And some of them are probably sitting right next to you, in your own home.
In an attempt to make every appliance and device in our homes more convenient, effective and efficient, today’s device manufacturers are making them all smarter and more connected. This desire to network connect all of the things has a name, the Internet of Things (IoT), and while it has made it possible to adjust the A/C and check the doneness of a roast in the oven – all without leaving your couch – it’s also doing something else – creating massive cybersecurity vulnerabilities.
In their recent Threat Intelligence Report, NETSCOUT discusses how new IoT devices are attacked within minutes of being connected, and how these devices are being recruited for DDoS attacks. To learn more about why these devices are susceptible to attack and why they’re a convenient tool for bringing down networks as part of a coordinated DDoS attack, we recently sat down with Gary Sockrider, the Director of Security Technology at NETSCOUT.
Here is what he had to say:
GovCybersecurityHub (GCH): How has the emergence of IoT and IIoT devices impacted the DDoS attack threat landscape?
Gary Sockrider: These IoT devices have contributed to the DDoS threat in a number of ways. First, the inherent lack of basic security makes them even more vulnerable than the type of hosts that were commonly compromised in the past.
In the early days of DoS, most bots were compromised servers in data centers. These targets were chosen for their high processing capacity and relatively high bandwidth Internet access. As broadband connectivity spread across the globe and became common even for small business and consumers, this dynamic started to change. In parallel with the spread of broadband, workstations and PCs grew in capacity as well. This led to the large-scale botnets used for modern DDoS attacks.
Even before IoT, botnets could already grow quite large with tens of thousands of hosts directing traffic at a victim simultaneously. Today’s IoT botnets are scaling exponentially to hundreds of thousands of compromised hosts.
GCH: Why are these devices susceptible to being manipulated and utilized in cyberattacks and DDoS attacks?
Gary Sockrider: Before IoT, hackers would scan the Internet for a vulnerable host that they could compromise due to lax security – weak passwords, unnecessary services enabled, unpatched and otherwise neglected systems.
While the aforementioned are vulnerabilities of IoT devices, they tend to have a much weaker security posture for several reasons. First, IoT devices are often far less secure right out of the box. Many use default, weak or even no password. Many have unnecessary services running and rely on older, non-secure protocols like HTTP, Telnet, and FTP. Ease of deployment is paramount and services like SSDP for UPnP are enabled by default.
Unlike typical servers and workstations, they often have no built-in firewall capabilities. Most do not offer any automated patching, and rarely do they have a direct user interface, instead relying on apps and services or autoconfiguration. Further, most IoT devices are sold with very low margins and manufacturers have little incentive to patch or otherwise enhance security on devices already deployed – of which there are already billions.
GCH: Are DDoS attacks that utilize an army of IoT devices similar to combat as any other DDoS attack? Do they pose any additional challenges?
Gary Sockrider: For the most part, IoT based DDoS attacks are not being used to create new or unique DDoS attack vectors. The main difference is the ease with which they are compromised and the sheer volume.
Those two factors allow malicious actors to create botnets faster, replace remediated or blocked hosts instantly and provide significantly more attack capacity for large scale or concurrent attacks originating from a single botnet.
GCH: How big of an ecosystem of devices are we talking about? Can virtually any IoT and IIoT device be utilized in a DDoS attack?
Gary Sockrider: We’re talking about a massive ecosystem that is exponentially larger than what we had in the past. One of the first botnets created based on the now infamous Mirai source code quickly grew to around half a million compromised hosts.
GCH: Are manufacturers doing anything to make their devices any more secure or difficult to exploit? What are they doing – if anything – to prevent this?
Gary Sockrider: There are some early indications that some manufacturers are starting to take IoT security more seriously. The industry is starting to form some consensus around minimum acceptable security practices. The National Institute for Standards and Technology (NIST) in the United States has created a framework for IoT cybersecurity. Organizations such as the Open Connectivity Foundation have created security specifications for IoT devices. However, most IoT manufacturers have been slow to change and adopt these recommendations due to pressure to keep up with competitors and extremely thin margins.
Organizations and countries are beginning to fight back with standards such as OWASP Internet of Things Project and European Telecommunications Standards Institute specification TSS 103 645, as well as laws such as California’s Senate Bill 327, which bans the use of default passwords in consumer IoT devices beginning in 2020. But while these protections lead IoT security in the right direction, they do not apply to millions of legacy IoT devices. Moreover, several of the requirements are open to interpretation.
With that in mind, we expect to see a continued rise in new exploits, older exploits, and hard-coded credentials used to grow IoT botnets in 2020. Mirai and its variants will retain dominance in the IoT malware landscape, although a handful of unique non-Mirai-based IoT malware will gain ground.
GCH: Do you have any examples of DDoS attacks that we perpetrated this way?
Gary Sockrider: The Mirai botnet was first found in August 2016 by MalwareMustDie,a white hat malware research group, and has been used in some of the largest and most disruptive DDoS attacks, including the September 2016 attack on Brian Krebs’ web site, an attack on French web host, OVH, and the October 2016 Dyn cyberattack.
Those attacks are just a few of the early attacks that leveraged Mirai to build massive IoT botnets and direct them to great affect at their victims. Over the last few years, since Mirai hit the scene, we’ve seen an explosion in the number of variants of this malware in the wild.
NETSCOUT honeypots have been collecting data on IoT and Mirai for years now and we know that new IoT devices can be scanned by Mirai and its many variants within as little as 60 seconds after going online. Botmasters are weaponizing everything from smartphones to smart homes to Apple software.
It can take as little as five days from new attack vector discovery to weaponization, widening access to fast, efficient tools for anybody with an axe to grind. IoT devices are under attack five minutes after they are powered up and are targeted by specific exploits within 24 hours.
For additional information about the rapidly evolving and increasingly complex nature of DDoS attacks, fill out the form below to download a complimentary copy of the NETSCOUT Threat Intelligence Report.