The IoT Attacks Everyone Should Know About

The Day of the DDoS

Back in October 2016, the day began a bit differently than others. The world had just seen the release of source code called Mirai, the same code responsible for the IoT botnet that had exerted a massive DDoS attack on KrebsOnSecurity in September of 2016. The code’s release, as described by Krebs, virtually guaranteed “that the Internet (would) soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.”

Less than a month after KrebsOnSecurity commented on the code leak, a distinct Mirai-powered zombie botnet was unleashed on Dyn, one of the largest DNS providers in the world, in three attacks. Internet access fell in many major cities, and the global plugged-in population caught a glimpse of the way IoT vulnerabilities can cause business disruptions and slow our personal online activities way, way down. If you wanted to reach major sites like Twitter, Amazon or Reddit, or to make a payment through PayPal? Too bad.

Here’s how an attack like this (generally) goes down: The malware scans the internet for vulnerable IoT systems. Vulnerabilities might include seemingly innocuous device traits, such as a factory default username. The devices are hijacked. They become soldiers, reporting back to a controlling server. The traffic begins. In this case, the connected world ground to a relative halt. As revealed in Dyn’s statements just days later, the “complex and sophisticated” attack used “maliciously targeted, masked TCP and UDP traffic” (of which the Mirai botnet was the primary source, though other botnet slaves also contributed) over port 53. Because “The attack generated compounding recursive DNS retry traffic,” the impact was massive.

For the consumers affected by the outages, the effects were noticeable, but the long-term consequences minimal. For businesses affected, there was a choice to be made: keep your trust in Dyn with the expectation that the company will mitigate these types of attacks even more strictly in the future (it’s worth noting that much of the malicious traffic was mitigated) or leave Dyn behind and choose another company. Eight percent of Dyn customers chose the latter. Eight percent is a hefty number, though, when it comes to losing.

As for the total revenue lost on that fateful Friday, when big players such as Ticketmaster, Amazon and PayPal were unreachable - we can only imagine.

Fact: There are at roughly 500,000 known Mirai botnets. Let’s talk about the one that almost brought down an entire nation.

Liberia on the Edge

After the Dyn fiasco, security researcher Kevin Beaumont began monitoring botnet attacks. As reported by TechRepublic and by Beaumont on Medium, he saw one botnet in particular going after larger targets with a high rate of success. It was botnet #14, the largest of the Mirai botnets, and it was controlled by a domain that pre-dated October 21 2016, Beaumont reported.

Liberia’s singular cable for internet structure makes for easy exploitation. Beaumont reported that websites hosted in the nation were coming down. The botnet sent Twitter messages, including one we might assume was directed at Beaumont specifically: kevin.lies.in.fear.

The Liberia attack might not have been big news for anyone outside the security community, but it makes this list because of its implications. As Beaumont wrote, “The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state.”

Dahua: 2017

On March 5, 2017, major IoT device manufacturer Dahua learned about a software flaw when a researcher discovered he could bypass authentication on some devices, possibly allowing for display of usernames and hashed passwords, according to JP Buntix of themerkle.com. While a hashed password is great, simple encryption makes for simple cracking. Dahua issued immediate patches, but you should know about this attack because of Dahua’s size (it’s the second largest IoT hardware manufacturer) and again, because of the implications: if they can’t harden devices before release, who can?

CloudPets: Not a Botnet, Still a Problem

Though CloudPets was slow to respond to a ransomware threat and did not immediately alert users, that doesn’t mean the hack doesn’t matter. As Selina Larson wrote for CNN Tech, “According to a report compiled by security researcher Troy Hunt, over 820,000 user accounts were exposed. That includes 2.2 million voice recordings.”

CloudPets allows parents to upload and download audio messages for their children by connecting over Bluetooth. That information was all stored in the cloud, and when hackers got a hold of it, they demanded ransomware. CloudPets apparently restored the data from a backup, according to CNN.

“These are potentially intimate conversations. That data wasn't handled as if the company recognized how precious that is. When we look at it through that lens, the protection of that transaction was woefully lacking." says Yolanda Smith, from Pwnie Express. And therein lies the problem: despite the incredibly private nature of the data, no one really seemed to care.

Miele: Washer/Sanitizer Gets Dirty

In November 2016, a German researcher discovered a vulnerability in the Miele Professional PG 8528 appliance, a washing and sanitizing device for medical instruments, such as those used in surgery and laboratory work. When the researcher, Jens Regel, informed the company, he didn't receive a response for three months. The Web Server Directory Traversal vulnerability allows remote attackers to access directories other than the directories needed by web server, giving them the ability to thieve data and insert and initiate malicious code.

With no patch released, the bug persisted, leaving hospital systems vulnerable. Not only is health-related data highly sensitive and subject to strict compliance mandates, but an attack executed via malware injected into a device such as this could render a hospital unable to operate, potentially affecting revenue, reputation and literal life.

2019

n December 2019 a $1million wire transfer from a Chinese venture-capital firm intended for a startup was intercepted by hackers. In the same year, some 40 million credit and debit card numbers were sold after hackers had compromised wireless computer networks of major retailers including Forever 21.

Wireless keylogging might be one of the oldest forms of cyber threat, however it is still a common form for hackers looking to steal your data. It’s cheap and easy to execute and we’ve seen hackers use hotel Wi-Fi to steal the data of business execs in China, Japan and Russia using key logging

Experiencing Consequences

One scary truth about botnet attacks, specifically: the people responsible for the security of the devices commandeered for slavery don't feel the pain of the attacks, except as service users themselves. The device owners and manufacturers have no personal incentive to take responsibility, possibly perpetuating the potential for attacks in the future. 

Discover more about how the gaping holes in IoT security and how to fill them by reading part three of our ongoing series.