The Internet of Things is no longer a futurist endeavor, but a mega market that is the driver for rocketing businesses into markets never thought of before. The IoT market is expected to reach 2995.2 billion by 2022 according to Scalar Market Research and Gartner Research has estimated that by 2020, 50 billion connected things will be on the internet. This is the fuse that has been lit and manufacturers are racing to be the first to market. With all the excitement and promise, the market has overlooked looked the potential for a bomb.
Everything from smart refrigerators, dishwashers, personal assistants (like Amazon Echo and Google Home), wirelessly controlled window shades, thermostats, doorbells, televisions, video cameras, HVAC systems, lighting, wearable fitness devices, cars and more contain sensors sending and receiving information. The drawback has been that all these devices have not been created with security in mind. These devices can not only be hacked easily to cause damage or physical harm, but they are also being weaponized to be used as bots to launch Denial of Service attacks directed at a variety of companies and organizations that can also result in serious consequences. Before governmental regulators step in, the industry should police itself by building in security to all Internet facing devices as well as adding in an end of life for each device so they stop working after they are discarded in a landfill. Manufacturers should take responsibility for the entire lifecycle of any device they are creating right up to recycling once those devices are no longer needed.
The 3 Plagues of IoT
The three plagues of IoT are the Mirai, Hajime and now Persirai codes. It all started with the Mirai code that was used to leverage IoT devices into BOT armies to launch the biggest Denial-of-Service-Attacks (DDoS) ever seen in 2016. The first attack was launched against the website of Investigative Reporter Brian Krebs in September of 2016, next came the Dyn Attack in October of 2016, followed soon after by the Deutche Telecom attack in November. With the release of the Mirai source code, hackers had the foundation to transform the original code and create new menaces like the Hajime code and now Persirai. All of them leverage IoT devices to launch DDoS attacks in new and ingenious ways.
The latest Hajime code is similar to Mirai in that it uses Telnet (port 23) to execute a brute force attack of default passwords, however, instead of using a command and control server, it takes a different approach at spreading by using BitTorrents DHT (Distributed Hash Tables) protocol for peer discovery and the uTorrent Transport Protocol (uTP) for data exchange, making it more difficult for service providers to filter out the traffic.Persirai converts IP Cameras into a botnet by gaining access to the cameras IP web interface via TCP Port 81.
This year, Linux-based IoT (Internet of Things) botnets were the most popular, but they are being surpassed by Windows-based botnets, whose share grew from 25% to 60% in the first quarter of 2017 according to Kaspersky Labs.* 43 percent of organizations report average revenue loss of at least $250,000 per hour, with 51 percent taking at least three hours to detect an attack and 40 percent taking at least three hours to respond. In total, a DDoS attack can cost an organization on average more than 2.5 million in revenue according to Neustar Reseach.*
One Way to Create a Kill Chain
Preparing to battle these DDoS attacks could be as simple as employing Best Current Practice #38 put forth by the Internet Engineering Taskforce (IETF). The best practice recommends that service providers not allow any packets to come from a network that did not originate from the assigned address space. This is known as Source Address Validation.
Source Address Validation prevents someone from lying about who they are (spoofing) when sending data over the Internet. By pretending to have a different IP address, return traffic goes to the spoofed address. This makes it easy for hackers to send a lot of traffic somewhere without anyone knowing where it came from. For cybercriminals using botnets, spoofing becomes a powerful tool that allows them to launch attacks without their bots being detected. Employing Source Address Validation alone could go far in defusing many a DDoS attack.
Defending the IoT Device through A Least Privilege Policy Approach
Even with Best Practice #38 and built in security, there still could be incidents where IoT devices are taken over by outside cyber criminals. Another layer of security would be to employ a least privilege policy for IoT devices.
IoT devices are purpose built, with a narrow set of features/functions and a limited number of domains, devices and protocols with which they communicate. Organizations should define the IP addresses and layer 4 application traffic profiles their IoT devices use to perform their defined task. With this knowledge, Network Traffic Analysis technologies can monitor traffic to and from IoT devices and alert IT teams, if they send or receive any traffic that falls outside the least privilege policy. This requires some up front effort, but becomes a strong and proactive approach of understanding when IoT devices have been compromised and if they are being used by cybercriminals for nefarious activities. A least privilege policy approach to IoT device deployment is the best way to reduce risk. Monitoring traffic patterns, and alerting when communications occur which fall outside of least privilege, is the most effective means for IT to keep track of their IoT devices.
About the Author:
Michael Patterson is CEO of Plixer International. Michael worked in technical support and product training at Cabletron Systems while he finished his Masters in Computer Information Systems from Southern New Hampshire University. He joined Professional Services for a year before he left the Tron in 1998 to start Somix which eventually became Plixer International