Cybercriminal networks are increasingly taking advantage of lax Internet of Things device security to spread malware and create zombie networks, or botnets, unbeknownst to their device owners.
When lax security becomes a huge problem
Symantec’s Security Response team has discovered that cybercriminals are hijacking home networks and everyday consumer connected devices to help carry out DDoS attacks on more profitable targets, usually large companies. To succeed, they need cheap bandwidth and get it by stitching together a large web of consumer devices that are easy to infect because they lack sophisticated security. IoT devices are a prime target, since they are designed to be plugged in and forgotten after basic set-up.
“The results of the survey are unsurprising, and something security experts have been talking about for a while. IoT devices are proliferating at an incredible rate, many of them delivered by companies with little experience in hardening devices against attack. As a result, they’re falling victim to simple attacks that rely on very poor security in the device. It’s like security ground-hog day – we’re going to have re-learn all the lessons of the last decade and apply them to a new class of device, quickly. If we don’t, we’re going to be presenting hackers with oceanic quantities of free computing resource ready to be used for anything from spam email services to massive DDoS attacks against critical infrastructure,” Geoff Webb, Vice President of Solution Strategy, Micro Focus, told Help Net Security.
Top 10 brute-force usernames and passwords used against IoT devices
The most common passwords IoT malware used to attempt to log into devices was, unsurprisingly, the combination of ‘root’ and ‘admin’, indicating that default passwords are frequently never changed.
More than half of all IoT attacks originate from China and the U.S., based on the location of IP addresses to launch malware attacks. High numbers of attacks are also emanating from Germany, the Netherlands, Russia, Ukraine and Vietnam. In some cases, IP addresses may be proxies used by attackers to hide their true location.
Why criminals love IoT devices
Most IoT malware targets non-PC embedded devices such as web servers, routers, modems, NAS devices, CCTV systems, and industrial control systems. Many are Internet-accessible but, because of their operating system and processing power limitations, they may not include any advanced security features.
As attackers are now highly aware of insufficient IoT security, many pre-program their malware with commonly used and default passwords, allowing them to easily hijack IoT devices. Poor security on many IoT devices makes them easy targets, and often victims may not even know they have been infected.
Matthew Bing, Research Analyst at Arbor Networks, explains why using home IoT devices are ideal DDoS bots:
1. They typically run an embedded or stripped-down version of the familiar Linux operating system. Malware can easily be compiled for the target architecture, mostly ARM/MIPS/x86.
2. If they are Internet-accessible, they most likely have total access to the Internet without any bandwidth limitations or filtering.
3. The stripped-down operating system and processing power in most IoT devices leaves less room for security features, including auditing, and most compromises go unnoticed by the owners.
4. In order to save engineering time, manufacturers of IoT devices sometimes re-use portions of hardware and software in different classes of devices. As a product of this software re-use, the default passwords used to initially manage the device may be shared across entirely different classes of devices.
“One of the more popular DDoS botnets targeting IoT devices is LizzardStresser, which is becoming the botnet-du-jour for IoT devices given how easy it is for threat actors to make minor tweaks to telnet scanning. With minimal research into IoT device default passwords, they are able to enlist an exclusive group of victims into their botnets. Arbor’s ASERT team has observed LizardStresser C2’s issue attack commands to IoT devices and a resultant DDoS attack upwards of 400Gbps without using reflection/amplification, a notable feat fueled by an arcane piece of information,” said Bing.
2015 was a record year for IoT attacks, with plenty of speculation about possible hijacking of home automation and home security devices. However, attacks to date have shown that attackers tend to be less interested in the victim and the majority wish to hijack a device to add it to a botnet, most of which are used to perform DDoS attacks.
Attacks originating from multiple IoT platforms simultaneously may be seen more often in the future, as the amount of the embedded devices connected to the Internet rises.
“The solution is to focus on incenting manufacturers to apply good security from day one – such as not hardcoding in passwords for example – and it’s probably something that the government needs to take on. In the same way we have consumer standards for things like safety and quality, we probably need to start thinking about governmentally-enforced standards for device security. Otherwise, the IoT could become a disaster for both individual privacy and, potentially, national security,” concluded Webb.