Hackers Wreak Havoc Using IoT Exploits

October 25, 2016 - 6 minutes read

This past Friday, much of the United States’ internet access came to a crashing halt. Services like Twitter, Spotify, Reddit and Netflix were rendered inaccessible because of a Mirai botnet attack on servers owned by Dyn (the source code was actually released a few weeks ago and the creator of the code, a hacker dubbed “senpai,” even gave instructions on how to use it).

The attackers used insecure Internet of Things (“IoT”) devices to flood Dyn with traffic until their servers were unable to respond to normal requests. Their primary targets: old CCTV systems running services like Telnet that haven’t been used by most engineers in 10 years or more.

Now, Mirai is losing effectiveness as ISPs react, but another IoT botnet called “Bashlight” appears to be doing the rounds, so it’s imperative that we plan and prepare for the likes of Bashlight and other future attacks on our connected devices.

As a mobile app developer in NYC, the IoT devices we see are, for the most part, a world apart from the CCTV systems that were attacked by Mirai because most use modern IoT frameworks. But you can never be too safe. So if you’re involved in the Internet of Things, here are 10 relatively easy ways to avoid IoT attacks:

(1) Remove unneeded services Almost every IoT device I see runs unnecessary services. This includes things like a web server or an admin interface that simply isn’t integral to the production model. Netstat is a great terminal command to see what service are open. On Linux, the following command will show you what services are running and which processes are associated with them:

sudo netstat -tunlp

(2) Remove or disable default accounts It’s critical that these are changed and default accounts disabled. A great example is the default account on a Raspberry Pi, which is pi/raspberry. I’m sure there are thousands of devices on the web with this combination enabled. In fact, I did a quick search on Shodan (they catalog which devices are running on the Internet) and found roughly 42,000 devices. I would bet that at least 10% of those have default credentials, which allow easy admin access by a botnet like Mirai or Bashlight.

(3) Create stronger passwords This sounds like a no-brainer, but I find poor development passwords passed into production environments all the time. Use sophisticated/longer passwords and you should stop password attacks in their tracks.

(4) Shore up authentication methods If you must have administrative ports open to the Internet like SSH, then use public/private key pairs and remove password authentication methods. This stops malware and hackers trying to guess passwords.

(5) Encrypt It Most IoT devices will support strong transport and storage encryption, but implementation often plays second fiddle in the rush for development. Storing user details and passwords are critical in case the device ever ends up on eBay and private information is revealed to the buyer.

(6) Build a firewall An IoT device built on top of Linux will more than likely have the iptables firewall already built in. Taking a few hours to configure a simple firewall on your production build will make it much more difficult for hackers to gain remote control of the device. The firewall configuration should include outbound as well as inbound rules.

(7) Embed a system signed code Some IoT hacking is based on the attacker being able to code their own firmware and replace the manufacturer’s code on the device. You can counter this by using a digital signing mechanism where only the manufacturers signed code is allowed to be loaded onto the device.

(8) Disable or remove physical ports I’ve seen many hacking demonstrations where researchers have taken a device apart to find a USB or network port, allowing them to connect in a way that the manufacturer didn’t account for. Physically remove or disable these ports on your device if it doesn’t need them. If they are needed for maintenance or updates, then disable them at a software level when not in use.

(9) Auto-update all the time If possible, code your device to pull down new updates automatically to make sure that you can provide security updates in a timely manner.

(10) Hire security professionals to hack your device IoT teams often have good budgets, and could definitely spend money on getting a security consultant in-house for a few weeks to test a prototype and make recommendations. Build testing into your quarterly budget and take their advice.

Rob Pope is CTO and co-founder of Dogtown Media, a pre-eminent IoT mobile app developer. On top of leading the development team to create dynamic mobile applications, he is an IT security expert, founding two previous ventures in the ethical hacking space. Rob frequently consults for multi-national organizations such as the London Stock, BBC, AstraZeneca, and Barclay’s Bank on how to mitigate their risk of a hack occurring and boost their IT security defenses.

Tags: , , , , , , , , , , , , , , , ,