How to prevent your IoT devices from being forced into botnet bondage

A Delaware-headquartered brick-and-mortar jewelry store recently lost access to its online resources after subduing a major, multi-staged DDoS attack — the sort of hack that brings down your server by burdening it with huge amounts of simultaneous requests.

DDoS attacks are nothing new, but DDoS attacks powered exclusively by IoT devices are. The main culprit behind this particular attack was a botnet of 25,000 compromised CCTV cameras, armed with high-bandwidth connectivity and scattered across the world.

The rise of IoT botnets was predicted as one of the cybersecurity trends of 2016, and the technical details behind the Delaware jewelry episode are another reminder of how dangerous IoT botnets can be. With more and more unguarded IoT devices becoming connected to the internet every day, malicious bot lords are having an easier time conscripting new recruits into their undyingly loyal armies of zombie machines — and their next target can be your smart fridge, light bulb, kettle or door lock.

Here’s what you need to know about IoT botnets and what can be done to fight this mounting threat.

Why are IoT devices attractive targets for botnets?

As has become common knowledge, the barriers to compromising IoT devices are much less than generic computing devices such as PCs and smartphones. “Unlike personal computers or servers, most IoT devices are not well protected — or even protected at all,” says Igal Zeifman, a senior manager at cybersecurity firm Imperva Incapsula. “This is despite the fact that many are hooked up to a high-speed broadband connection and possess many of the processing functionalities as regular computers.”

Imperva Incapsula is well-known for having raised the alarm about the looming threat of IoT botnets on several occasions, some dating as early as March 2014.

Zeifman believes that CCTV cameras and webcams are of special concern. Work done by other experts corroborates Zeifman’s opinion. Researchers at Arbor Networks recently found cybercriminals to be adapting the source code of LizardStresser, an infamous botnet malware, to infect IoT devices, with internet-accessible cameras accounting for 90 percent of the targeted devices. Matthew Bing, one of the researchers, described in a blog post that the cumulative bandwidth available to the botnet nodes have been used to launch 400 Gbps DDoS attacks against banks, gaming sites, ISPs and government institutions.

When was the last time somebody logged into their light bulbs to do a tcpdump to check if there were rogue packets? Deepindher Singh

Some of the problem stems from inherent limitations characterizing IoT devices. “Device constraints prevent agents such as antimalware, antivirus and firewall to be run on the device to protect itself, thus, traditional IT security practices are difficult to deploy on IoT devices,” says Preetham Naik, business development expert at Subex. These constraints include computation and storage limitations, as well as the use of stripped-down versions of known operating systems such as Linux.

As Zeifman points out, the combination of advanced computing capabilities, high connectivity and lackluster security makes IoT devices “perfect candidates for botnet recruiters.”

Also relevant is the mostly autonomous nature of IoT devices. “The basic issue is that most IoT devices are ‘Things’ that are meant to do a very specific function,” says Deepindher Singh, founder and CEO of IoT manufacturer 75F. “Once set up, we tend to forget that they are actually connected to the internet or that they are actually vulnerable to attacks.”

Limited-user interfaces are another contributing factor to IoT devices being overlooked, Singh believes, referring to non-present or “cumbersome access methods like using a web browser or app” to monitor each device. “When was the last time somebody logged into their light bulbs to do a tcpdump to check if there were rogue packets?” he asked rhetorically.

Manufacturers and consumers are to blame, as well

Not everything is related to unchangeable IoT constraints. As Chris Hodson, CISO for EMEA region at cloud security company Zscaler, detailed to SC Magazine, security development life cycle for IoT devices is often expedited or bypassed because of strict deadlines around time to market or the cost of the hardware.

“Manufacturers are looking for hardware components which are affordable and increase profit margins,” Hodson says. “Cheap, lightweight components in IoT devices often lack the capability to provide fundamental security services, such as encryption, as its hardware simply cannot support it.”

Subex’s Naik emphasizes the need for manufacturers to adopt “security by design” as a development policy. “Considering IoT devices are expected to remain in service much longer than IT devices,” he says, “the ability to patch and maintain the devices should be an important design consideration.” Naik also stresses the need for manufacturers to carefully examine third-party components before integrating them into IoT products. A report published last November by the Austria-based consulting firm SEC sheds light on the security implications of non-assessed component reuse across devices.

Cesare Garlati, chief security strategist, prpl Foundation, underlines the need for IoT security being baked-in at the hardware and chip level, pointing to the fact “that patching isn’t high on the priority list for admins.”

Defenders need to plug all the holes — attackers only need to find one.

Galarti’s comments are also a reminder of another epidemic problem that is leading to the growth of IoT botnets, which is consumers’ large neglect of IoT security.

For instance, the LizardStresser botnet captures its targets by attempting default credentials on devices it finds on the Shodan search engine, which happens to be a very effective tactic because most consumers forego changing default factory settings on IoT devices.

Consumers’ lack of appreciation for security isn’t creating stimulus for vendors to create more-secure products. “Vendors try to change the situation, but it is costly,” Steffen Wendzel, researcher at Fraunhofer Institute for Communication, Information Processing and Ergonomics says. “They also get no real benefit as customers do not pay for security.” A research paper co-authored by Wendzel details how lack of awareness by different parties involved in the IoT development and use cycle is contributing to the production of flawed products.

ZScaler’s Hodson further drives the point by saying, “Until consumers demand that security is embedded into the hardware development life cycle, manufacturers would feel no pressure to change their methods.”

Manufacturers can control some of the damage by educating consumers and enforcing stricter security policies, suggests Zeifman. “For example, manufactures could be doing more to implement better password management policies and periodic firmware updates,” he says.

Naik concurs, stressing that vendors should make complex passwords a requirement for their products. “Customers should be forced to change passwords and change them often,” he adds.

IoT botnets are about more than just HTTP attacks

While presently most IoT botnets are aimed at web and application servers, they can be put to much more destructive use.

The power of the cloud is in its elasticity and its ability to evolve and adapt to the changes that overcome the IoT botnet threat landscape.

“I believe that the ultimate goal of IoT botnets is not to send spam,” says Wendzel, the researcher from Fraunhofer. “Instead, they will only make sense if they actually use their physical capabilities. Either they measure their environment (perform surveillance) or they change their environment (perform physical actions). This is what makes IoT botnets much more serious than traditional botnets.” He further elaborates on the topic in his paper.

“For instance, if you sell oil or gas as a local provider to some smart city/region, then you could attack the smart homes in that city,” Wendzel says. “Doing so, you could increase heating levels. In result, people would need more oil/gas and then would sooner buy your oil/gas again.”

What protects you against IoT botnets

General discretion and IoT security practices such as changing passwords and turning off unwanted features go a long way toward fending off some of the more basic — but extremely efficient — attacks such as brute-force device credential scans.

But in tandem with the rise of IoT botnets, attackers will develop more sophisticated methods to target and ensnare unprotected and vulnerable IoT devices and use them to stage massive DDoS attacks, which will demand more advanced protection measures.

“Mitigation of such assaults relies on the ability to both scale up networking and computing resources, and to accurately analyze incoming traffic to weed out malicious visitors,” Imperva Incapsula’s Zeifman says, which he believes can be achieved through cloud-based security solutions rather than on-premise security tools.

Imperva Incapsula’s cloud security platform, Zeifman describes, leverages the power of the cloud to perform multiple functions simultaneously, such as inspecting incoming traffic and identifying threats through behavior, signature, IP history and cross-examination with tons of information it consolidates from millions of endpoints. The platform is comprised of multiple scalable components, including a Web Application Firewall (WAF) and a DDoS mitigation system.

The power of the cloud is in its elasticity and its ability to evolve and adapt to the changes that overcome the IoT botnet threat landscape. “The detection methods are as varied as the different attack vectors available to the offenders,” Zeifman says. “As IoT botnets evolve, so do the security solutions in what has often been described as an infinite game of cat-and-mouse.”

Subex’s network monitoring platform protects against IoT botnets through a three-tier defense mechanism based on signature, heuristics and anomaly detection. According to Naik, new threat signatures are detected by an IoT honeypot network covering different IoT device architectures; anomalies are identified by profiling individual device behavior based on parameters such as periodicity of transmissions, payload size, protocols and ports; intrusions into IoT ecosystems are detected by an integrated Intrusion Detection System (IDS); and IoT web interfaces are secured through a WAF.

75F’s Singh believes the propagation of IoT botnets should be stemmed at the source by enforcing correct design and development policies. His startup is focused on adhering to a paradigm he describes as “having secure gateways that protect all on-premise devices.” IoT gateways are much more capable of running security solutions, which can add a layer of protection to IoT devices sporting limited compute resources.

75F also adds UX modules such as touch screens and LCD displays to devices and gateways in order to minimize the need for remote TCP access. In cases where remote access is required, creating unique passwords has been made part of the setup process to protect against brute-force attacks.

75F thoroughly examines and tests devices instead of rushing to ship; this eliminates the need for over-the-air (OTA) update mechanisms, which can be used by hackers to push malicious updates, Singh explains.

At the end of the day, IoT botnets are a threat among others, and as is the case with all cybersecurity threats, defenders need to plug all the holes — attackers only need to find one. Therefore, as IoT botnets becoming a clear-and-present danger, it is only the combined efforts of everyone involved — including consumers, manufacturers and IT pros — that can stop the threat.