Have you wondered if your internet-connected devices are infected with Mirai malware and were part of the DDoS attacks?
In response to the recent IoT DDoS attacks, researchers at Zscaler analyzed IoT traffic patterns not only on the days of the DDoS attacks on Dyn and Krebs on Security, but going back to July.
While Zscaler does not believe any of the devices connected to Zscaler Cloud had been compromised and used in the IoT botnet attacks, ThreatLabz researchers analyzed the security of five security cameras, three smart TV entertainment devices, three smart network printers and scanners, two DVRs and NVRs, two IP phones and a partridge in a pear tree. The last one of course was just to see if you were paying attention: no partridges were harmed in the course of this research.
Surveillance cameras and video monitoring IoT devices
For starters, the team looked at FLIR FX, Canary Home security system, Foscom IP cameras and Dahua DH Security Camera. They looked for security issues, as well as the traffic patterns for each.
The Canary Home security system did the best, leaving the research team with no security concerns. They couldn’t say the same about the other security cameras.
When looking at the wireless HD camera FLIR FX, the researchers found two security issues. The FLIR FX communicates over plain-text HTTP. Firmware updates are pushed out from the FLIR services server without any authentication tokens.
Regarding Foscam IP surveillance cameras, the team said it leaks user credential information over HTTP in the URI. They gave the following example: xxx.xxx.xxx.xxx:yyy/snapshot.cgi?cmd=snapPicture&user=admin&pwd=password
Like Foscam, Axis IP camera frequently showed up on the Insecam project, providing a Peeping Tom paradise for voyeurs and creepers because each of the cameras were not secured with a unique password to protect it.
ThreatLabz reported that the remote management console of Axis IP cameras used only HTTP-based authentication, making communication sniffing and man-in-the-middle (MiTM) attacks a possibility.
However, Ryan Zatolokin, senior systems and solutions architect at Axis Communications, said Axis cameras offer HTTPS as well.
“Axis cameras by default use HTTP/HTTP digest authentication. While HTTP digest authentication provides a minimal amount of additional protection, it does prevent the username and password from traversing the network as plain text,” he said. “Axis devices also prompt the user to change the password the first time the device is logged into. At this time, the option is also given to enable HTTPS. Even after the initial setup, users always have the option to setup HTTPS.”
As for the Dahua DH security camera, it uses weak default credentials. It also communications over HTTP, so it is also susceptible to MiTM attacks.
Smart TVs and entertainment devices
Good news if you use Roku or Chromecast, as ThreatLabz had no security concerns with either the Roku streaming TV and media player or the Chromecast media player.
However, under Haier Android TV, the researchers wrote, “The security concerns with respect to smart TVs in general is the use of outdated libraries which could be exploited to gain control over the system.”
Smart network printers and scanners
Researchers had no security concerns about Epson or HP DesignJet printers, but the Fuji Xerox printer did not fare as well as the print monitors connect to maintenance logging modules with no authentication. There was also a reminder to stay up to date on any printer patches or firmware updates, since most are set up in an enterprise setting so internal network users can access them.
DVR and NVR
For this category, researchers analyzed the security of digital (DVR) and network (NVR) recording systems. Both the D-Link DNR-202L and the VideoEdge NVR use weak credentials. Both also communicate over HTTP, making them vulnerable to sniffing and potentially to MiTM attacks.
Neither the Panasonic KX-TGP500B04 nor the Yealink SIP-T46G came away unscathed.
Researchers discovered that the Panasonic KX-TGP500B04, a Digital Enhanced Cordless Telecommunications (DECT) solution, downloads root certificates and also authenticates via plain-text HTTP, meaning they are susceptible to sniffing and MiTM attacks.
Yealink SIP-T46G IP phones also use only HTTP authentication.
What can you do?
Sadly, there is no an easy way to know if your IoT devices were used in the DDoS attacks. ThreatLabz said affected enterprises may have seen a spike in traffic and strange traffic destinations. If many devices were infected and used, then it would eat a high amount of bandwidth and thereby slow overall traffic.
If you are still concerned your smart devices may have participated in a DDoS attack, the researchers recommended resetting the devices to factory default settings. Immediately afterwards, “change the default management credentials to something more secure.”
Additionally, the researchers “strongly recommend restricting the inbound management access from external networks to HTTPS only.”
The best advice for making IoT security “acceptable” included changing default credentials, blocking unnecessary ports from external access, and regularly deploying security patches and firmware updates. ThreatLabz added that enterprises should “install IoT devices on isolated networks to prevent lateral movement, with restrictions on both inbound and outbound network traffic.”
As for recommendations to IoT manufacturers, ThreatLabz suggested that changing the default password should not be optional. Manufacturers should enforce the default password change at the time the device is being installed. Futhermore, security and firmware updates should not be only for those who keep track of such things, but made automated so all devices get updated automatically.