Connectivity is at its peak these days with evolution of wearables and innovations in appliances almost each house is becoming a smart home. Many houses have been converted to smart homes with smart networking and centralized control.
Somewhere this evolution has made things easier for people but at the same time, this has made people more vulnerable towards cybercrime. The reason we say this is because a lot of these manufactured IoT devices cannot be fully secured, unlike a secure computer device with various security measures.
It also doesn’t make sense for people to invest heftily into an enterprise like security for their home devices, somewhere it does make sense but hey that’s not everyone is willing to do!
This weak security link makes the devices vulnerable and prone to be used for attacks and cybercrimes specifically mentioning DDoS attacks.
The IoT Attack Lifecycle
Let’s check how the IoT attack lifecycle works, The lifecycle is comprised of eight stages and depicted in the below diagram:
Impact Lateral Command Information Movement & Control Collection
- Initial Access:
As the name suggests, this is the first stage in the IoT attack lifecycle. At this stage, the attack leverages the network scanning method to first locate IP addresses of vulnerable devices using fast port scanning tools, such as nmap or Masscan, to scan the internet.
At this stage, the attack executes payloads or commands in the vulnerable device. In order to do this, it either gets access to the shell of the device’s operating system directly or injects the device with commands. When shell commands are executed, a malicious executable file (such as the ELF binary or the shell script) gets downloaded, the executable permission to the payload file gets assigned, and the payload gets executed.
In stage three, the executed malware payload shows persistence on the device. The malware can show persistence by killing the watchdog process to avoid the system rebooting, insert itself in scheduled cron jobs, system booting initial jobs, and system daemons—and even create new accounts.
The use of evasion techniques ensures the attack is not discovered or detected. By being evasive, the attack can clear the system logs and the BASH command history, hide the payload file in the system folder with a masquerading filename, and even delete the original payload file. Examples of these include the Tsunami variant and the Torii botnet.
- Collection of Information:
At this stage, device information and sensitive files, such as the private key and the cryptocurrency wallet are collected. Examples include the VPNFilter which steals sensitive data from the network traffic in compromised routers.
- Command and Control (C&C):
Next, the malicious payload also receives commands from the command and control (C&C) server. For different C&C commands, the payload continues to launch different attack activities like TCP flooding, UDP flooding, and infiltration of additional devices. For C&C channels, HTTP, IRC, P2P, and other such protocols are used.
- Lateral Movement:
The lateral movement in IoT attacks is mainly to continue infecting a large number of new devices in the local network. For example, an edge router first gets infected and then continues to infect all IoT devices that are connected to it.
Malicious activities launched in the IoT device have multiple impacts on the device: encryption of data for a ransom, total wipeout of disk and data, and abuse for coin mining. The BrickBot family of malicious malware is one of such examples.
*The above information has been extracted from Palo Alto Networks report Impacts of Cyberattacks on IoT Devices.
The current state of DDoS attacks and IoT devices
DDoS attacks continue to grow in number and frequency. Behind them are the same botnets that have been plaguing the world for years, composed in no small part of IoT devices that have non-existent or inadequate passwords, inability to patch exploitable firmware or holes in the authentication and data transfer ecosystem. Automated attacks on known vulnerabilities have granted cybercriminals extensive ability to quickly assemble or grow a botnet.
As per leading network and cybersecurity organization Akamai’s 2019 report.
The most rapidly increasing trend is the use of WS-Discovery (WSD) to amplify DDoS attacks. WSD is one of the most commonly used protocols for discovering and contacting nearby devices. The DDoS attacks make use of WSD hosts, of which there are over 800,000, to amplify the effectiveness of the attack by up to 95%.
- During the summer of 2019, attackers used WSD protocol to launch more than 130 DDoS attacks, some of which achieved a magnitude of 350 Gigabits per second.
- IoT devices use WSD protocols to automatically detect other devices nearby and since there are 630,000 with this protocol enabled, they can be attractive targets used to amplify DDoS attacks.
Researchers also reported a rise in the use of misconfigured IoT devices in amplified DDoS attacks.
Tips to make IoT devices more secure and protected from attacks:
Now that we understand that these devices are more vulnerable, let’s have some tips for enhancing and managing the security of these devices.
- Set up a network firewall that will block access to all unauthorized IP addresses.
- Ensure all your connected devices are updated to the newest firmware versions and have the newest security patches applied.
- Change all the default usernames and passwords on your IoT and other devices and if possible use two-factor authentication.
- Register with a DDoS mitigation service.
- Periodically Audit the IoT devices already on your home network and ensure timely maintenance is done on each one of them.
- Create a Separate Wi-Fi Network for IoT Devices.
- Shut down devices when not using them.
With the increasing demand of connectivity and networking across the world, the IoT devices will always be an easy target of cybercriminals, but hopefully, with a little prevention and safety options, we can protect our devices from any possible compromise, until we have enhanced security measures in place for such devices from their manufacturers.