DDoS attacks using IoT devices follow The Manchurian Candidate model

Like in The Manchurian Candidate, hackers are creating sleeper agents to carry out attacks. Only now they're using IoT devices and turning them into botnets.

In the movie The Manchurian Candidate, two soldiers are kidnapped and brainwashed into sleeper agents. Later the soldiers become unwitting assassins when activated by a handler.  

Sound familiar? It should.

Hackers use a similar model for Distributed Denial of Service (DDoS) attacks using IoT devices. This process has four phases.

  1. Capture: Identify and take over control of IoT devices
  2. Subvert: Reprogram the device to conduct malicious acts
  3. Activate: Instruct the hacked device to launch attack
  4. Attack: Launch the DDoS attack 

Why are such attacks increasing? How can IoT device security be hardened? What DDoS protections are available? What advisory resources are available? Let’s take a look.

Why are DDoS attacks increasing?

DDoS attacks are asymmetrical warfare. The cost of launching such an attack is disproportionate to the damage it causes.

Millions of vulnerable IoT devices make it easier for hackers to assemble the firepower needed for a DDoS attack. IoT device manufacturers keen to lower costs often neglect security provisions. This neglect causes widespread harm and hampers longer-term IoT growth. It’s hard to update a vulnerable IoT device with better safeguards once it’s been installed.

DDoS attacks are profitable. Research by Incapsula found that a DDoS attack could cost a firm over $40,000/hour! KrebsOnSecurity reported that two hackers recently earned $600,000 from launching DDoS attacks. Mercenary hackers called booter services that launch DDoS services actually exist. Criminal profits are driving the increase in DDoS attacks.

Botnets and DDoS

DDoS attacks direct an overwhelming volume of network traffic to a web server. The server gets overloaded with connections and cannot accept any new ones. This prevents legitimate users from accessing the site.

IoT devices are soft targets for hackers. They’re converted to botnets to generate large volumes of network traffic to attack a target. Imagine an army of sleeper agents waiting to be activated. 

A 5Gbps DDoS attack can render most sites useless unless they have DDoS protections. 

DDOS, Arbor Networks, IoT, DigitalAttackMap digitalattackmap.com

Digital Attack Map, a service from Arbor Networks and Google Ideas, shows DDoS attacks underway in real time

Vulnerable IoT devices

IoT devices are attractive targets for hackers to infect with DDoS malware. Vulnerable devices share these traits:

  • An embedded operating system and firmware that’s easily compromised
  • Weak authentication mechanism or hard-coded passwords that haven’t been reset
  • Insecure SSH and Telnet support with which to instal malware
  • Unencrypted traffic between the device and its control service
  • Physical access to the chipsets in the device through an open JTAG interface

Connected CCTV cameras can be soft targets, reports IPVM, a research service on IP cameras. The firmware in some cameras is even compromised during manufacture to redirect traffic to the hacker’s site.

IoT, DDoS, SkilledAnalysts, security skilledanalysts.com

Security risks and safeguards

Here are some potential risks and suggestions for securing IoT devices and preventing them from being used to launch DDoS attacks.

1. Chip-level security

JTAG: a standard interface to test and debug chips. It’s used to test printed circuit boards (PCBs) and chip interconnects. Hackers use JTAG with debugging software to understand how a chip will respond to different commands.

Make sure the JTAG interface for your IoT devices is encrypted to deny access to hackers.

2. Vulnerable operating system and tools

Embedded operating systems are stripped down to be able to run on IoT devices with limited system resources. Compromised open-source operating systems and software utilities are often used unknowingly in IoT devices. Three programs to be used with care include:

  • BusyBox: a single binary with over 200 tools that runs on Linux and Android
  • Tiny HTTPd: a simple web server with a very small footprint
  • Universal Plug and Play: a set of networking protocols to discover each other's presence on the network. It’s also used by hackers to identify open ports on IoT devices that could be attacked.

Use fortified operating system and development tools such as Windriver Helix or VMware Liota for your IoT devices. They also facilitate the application of security updates.

3. Strong authentication and passwords

Manufacturers often hardcode passwords to simplify IoT device installations. Users forget to change their default passwords, however, making the devices easier targets for hackers. 

Typical IoT device configuration instructions:

“If you’re connecting to your device for the first time from your computer, you may see the following security alert. Just click Yes to continue.

If the connection was successful, you should see login as: on the screen, prompting you to login. Enter Administrator and press enter. Then enter the default password p@ssw0rd as the password and press enter.”

Implement stronger authentication provisions. Ensure that default passwords are changed or require users to create strong, unique default passwords.

Public Key authentication is harder to hack. Intel’s Enhanced Privacy ID (EPID) provides a private key infrastructure that streamlines the secure onboarding of IoT devices.

4. Remote administration (SSH and Telnet)

Secure Shell (SSH) is a software utility to remotely administer and configure IoT devices. It’s used with Telnet, an application layer protocol for network file transfer applications. Hackers use SSH and applications such as PuTTY to instal malware on IoT devices. This converts IoT devices into botnets ready to launch a DDoS attack.

Three safeguards:

  1. Make sure to harden SSH on your IoT devices with these tips.
  2. Check for incoming probes using a tool such as Unplug ‘N Pray from Gibson Research.
  3. Connect IoT devices to a router that can inspect incoming SSH commands before they access the device. AVG Innovation Lab’s Chime provides such protective traffic screening.

5. Remote security updates

It’s challenging to apply security updates to IoT devices once they’re deployed. That's due to:

  • Complicated procedures for unsophisticated users
  • Lack of a user interface to the device
  • Challenges authenticating the source of the update itself

Make sure IoT devices have been hardened and have provisions to receive updates only from a secure control server. The Windriver Helix Device Cloud is a good option.

6. Compromised control servers

Make sure devices communicate with the proper control server. This can be done by locking the IP address of control servers and restricting how that IP address may be changed.

Make sure IoT firmware updates are encrypted and authenticated against a certified control server. Service providers such as Akamai, Level 3 Research Labs and OVH protect both websites and IoT control servers against DDoS attacks.

7. Protection against DDoS attacks

Make sure your own servers, as well as IoT control servers, are protected against such attacks. Four services you can use:

  • Arbor Networks: an Advanced Threat Solution that provides network-wide situational awareness, traffic visibility and security intelligence. Better threat detection and incident response is enabled with real-time insights, visualization and forensics.
  • Incapsulate: DDoS protection service
  • Securi: DDoS and website protection software
  • Sanrio: Security platform to monitor and protect IoT devices

8. IoT security resources

Stay current about DDoS threats and IoT security vulnerabilities. Here are some resources :  

  • Krebs on Security: The pre-eminent blog on security issues by Brian Krebs
  • FlashPoint: Business Risk Intelligence (BRI) service to mitigate security risks
  • Security Ledger: An independent security news website on cybersecurity
  • Digital Attack Map: A service from Arbor Networks and Google Ideas that shows DDoS attacks underway in real time (Image featured above)
  • Shodan: Finds devices with D-Link in their header and publishes their location
  • Quadium: Search engine for IoT devices to identify relationships and potential vulnerabilities

DDoS attacks

The Manchurian Candidate is a cautionary tale about the need for vigilance with much to teach IoT solution providers. Make sure your IoT devices haven’t been ‘captured’ and hurt you or others.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2016 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)