The Curse of IoT: The World Wide Web Can Outlast a Nuclear War … but fails at Smart Toasters

The Internet of Things (IoT) began to conquer the world with… a toaster. During a conference in 1990, US software and network expert John Romkey along Australian computer scientist Simon Hackett connected a toaster to the Internet. The result? The device could be switched on and off remotely.

Meanwhile, the variety of IoT-compliant devices connected to the Internet via networks or cloud-based platforms ranges from wearables such as smartwatches to RFID inventory chips – and of course, a few smart toasters…

The close interconnection between the physical and the digital world increases the comfort of our everyday life. We enjoy being greeted by a fragrant cup of coffee in the morning, prepared just in time by our smart coffee machine, reminded by our equally smart refrigerator it’s time to restock, and being shown how to avoid the worst traffic jams on our way to work thanks to intelligent navigation systems.

In the business world, the Industrial Internet of Things (IIoT) helps companies to understand consumer needs in real-time, to improve machine and system quality during operation, and to streamline supply chains. In other words, the IoT is the perfect network of technologies for a pleasant and successful life as seen in many advertising clips. Or is it?

IoT devices – perfect hosts for bots

Well, not entirely. Unfortunately, there’s quite a catch: cyber-criminals can easily exploit IoT devices to penetrate systems. Far too often, these products present low-security standards, are left permanently on and online, are rarely monitored and often poorly maintained. The clandestine takeover of IoT devices begins with the exploitation of a vulnerability when the attacker takes control of the system and the device acts like a robot, a “bot”. The hijacked devices are usually controlled via Command-and-Control-Servers (C&C-Server). The attackers who control the newly created botnet are called botmasters or bot herders.

2009 is the year the first IoT botnet was discovered. With increasing digitalization, the number of botnets and attacks also grew significantly. A series of attacks by the Linux malware “Mirai” in the fall of 2016 became particularly well-known, most notably the attack against the DNS provider Dyn on October 21st: Dyn’s DNS infrastructure and connected services among which Twitter, Reddit, GitHub, Amazon, Netflix, Spotify, Airbnb were all temporarily paralyzed, and Dyn lost eight percent of its managed service business as a result. Since then, the number of discovered botnets has grown exponentially.

Bg Robot Iot Inspector

How a harmless device can become a bot

There are several infection vectors for a bot or botnet:

  • Via hardcoded credentials
  • Via public exploits as well as zero-day exploits in IoT devices through remote code execution, authentication bypass, privilege escalation, etc. In the process, vulnerabilities that arose during the development of the firmware are exploited. In the case of a so-called zero-day exploit, this happens before a patch/fix is available.
  • Via misconfigurations

What do bot herders want to achieve?

  • Distributed Denial of Service (DDoS), a deliberately induced overload of the network. Since this type of attack involves requests coming from a great variety of sources, it is difficult to block the attacker without completely stopping the communication with the network.
  • Permanent Denial of Service (PDoS), also called “phlashing”. It causes such severe damage to the system that the hardware must be replaced. PDoS is a pure hardware target attack that can be carried out much faster and requires only a few resources.
  • The fraudulent use of the IoT device to turn it into, for example, a proxy server, use it for crypto mining or to send spam mails, …
  • Data theft
  • Network monitoring
  • The hijacked IoT devices get protected by the herder to prevent further infections by other “colleagues”, at least in some isolated cases white-hat hackers were able to identify malware that was infiltrated for this purpose.

The Evolution of the IoT Ecosystem

Around the year 2000, the Internet of Things began to take shape. Initially, it was primarily used in the business world for tracking and tracing goods equipped with RFID tags for instance. In the meantime, it has also become part of our private life: IoT has developed from architectures based on passive devices to a smart, dynamically growing IoT ecosystem. However, it also has grown to become both more successful and more vulnerable, with attacks having a much greater impact now.

In the mid-2000s, IoT devices could only be attacked directly via an Internet connection and therefore merely isolated, however the increasing interconnection of devices created a greater risk potential. While the use of Universal Plug and Play (UPnP) simplifies the connection and control of network-compatible devices from different manufacturers, it also opens up new paths for cybercriminals: For example, malware that has infected a computer can render the firewall of a UPnP-capable router ineffective.

Due to the powerful cloud technology and the ability to control IoT applications with mobile devices, the number of practical tools assisting us in our everyday life has increased drastically. Thus, the potential impact of infections by malware that enters the private IoT network via the cloud has also increased, for example through pushed software updates. A single vulnerability in the cloud can be used to attack a myriad of devices, as the hijacking of more than 50,000 baby cams in 2018 demonstrated.

Iot Reality Iot Inspector

IoT Inspector for secure firmware

This is why in this booming industry, the manufacturers of IoT devices must be particularly careful. The Chinese OEM Xiongmai supplies more than nine million of its IoT devices to more than 100 vendors of surveillance cameras, digital video recorders, and network video recorders worldwide. In 2018, experts of the SEC Consult Vulnerability Lab examined devices from Xiongmai and discovered a security vulnerability using IoT Inspector, a platform for automated security analysis. The vulnerable cloud feature “XMEye P2P Cloud” was active by default and therefore opened a door to invaders millions of times.

This example demonstrates how important further development and consistent application of IoT security standards is, and that producers of IoT devices must be held accountable to comply with these norms. The Compliance Checker, a feature of IoT Inspector, offers IoT device providers the possibility to test if the products they want to distribute breaches existing security requirements.

“IoT botnets: The Next Generation” – are they just around the corner?

With the increasing digitalization, millions of devices can be accessed through just one vulnerable IoT cloud, command and control communication is hidden in regular cloud communication protocols, providing bot herders a convenient way to bypass network access control – ultimately allowing them to enter millions of private networks.

Becoming part of a botnet is not an unavoidable cruel fate because even the cleverest cybercriminals can’t do magic. They take advantage of the low IT knowledge and carelessness of many users and the thriftiness of some manufacturers when it comes to implementing IoT security. Protecting oneself from a bot infection is not witchcraft. Let’s simply use the same measures as those we take to protect our devices against other IT threats.

Checklist: Are your IoT devices safe?

1) Do you know the current security status of your IoT devices?
Take stock of and analyze the firmware of your existing IoT devices.

2) Do you evaluate the security of IoT devices before adding them to your network?
Analyze the firmware of your IoT devices during the procurement process.

3) How do you protect yourself from emerging IoT threats?
Monitor the firmware of your IoT devices for vulnerabilities.

4) How does your process scale with the exponentially growing number of IoT devices in your network?
The adjustability and automatization of the firmware security analysis of IoT devices are crucial.

To learn more about how you can protect your network against attacks through IoT devices, please get in touch.