Your Devices Are Smart, but Are They Safe?
Welcome to part 1 of a series on IoT security! Click here to read part 2, or here to read part 3.
Picture your typical Sunday afternoon. The weather’s nice, the house is quiet, and you’re relaxing at the end of the weekend. Next thing you know, an emergency broadcast is blaring from one of your devices. It declares that North Korea has launched three intercontinental ballistic missiles at the United States. You have three hours to evacuate.
This sounds like the beginning of a film, but for Laura Lyons, it was all too real. After panicked calls to 911 and Nest customer support, Laura found out the message had come from a hacker that broadcasted the fake warning from her Nest camera. The scariest part? This isn’t the first time a Nest camera has been compromised.
When it Comes to IoT Security, We Have a Problem
Over the last several years, there has been a security breakdown in almost every service imaginable. Massive data breaches have exposed personal information from banks, social media, hotels, and even online stores.
While shocking, the Lyons’ story is one of many involving these connected cameras. In December of 2018, Ellen Rigney heard a voice come through her Nest camera just before midnight.
“I’m going to kidnap your baby. I’m in your baby’s room,” it said. Both Rigney and her husband panicked. They ran upstairs and down the hall to the child’s room. What would they find when they arrived? Would the crib be empty, or would there be a mysterious intruder standing over it?
The reality was neither of these things. Their child was sound asleep and alone. For a digital intruder, this was a twisted joke, but for the Rigney’s it was a moment that rocked their entire world.
While these incidents certainly spark anger and terror in the victims, they are small in scope. To really understand the danger here, we need to go back to October 2016. A massive distributed denial of service (DDoS) attack on the servers of Dyn took down a large portion of the internet in both American and Europe. Websites like Twitter, Reddit, Netflix, The Guardian, and CNN were inaccessible.
The cause of the attack was the Mirai botnet. This network of malware infected devices coordinated the attack by sending traffic to the Dyn servers until they broke down from the strain. It was one of, if not the largest attacks of its kind in history.
While typical botnets are composed of infected computers, the Mirai botnet was unique in that it was composed of IoT devices like connected cameras, baby monitors, and home routers. All of this begs the question:
“Why was the Mirai botnet created? What is its purpose?”
Would you believe me if I told you the answer is Minecraft?
Paras Jha, one of the creators of the Mirai botnet, knew there was good money to be made in hosting servers for the popular game Minecraft, and began launching DDoS attacks against his rivals to attract more business.
After a major attack on French hosting firm OVH’s Minecraft servers, the creators quickly tried to cover their tracks. Posting under the online handle “Anna-Senpai,” they posted the Mirai botnet’s code online in the hopes that others would use it and offer them plausible deniability.
While Jha and his fellow associates eventually pled guilty to the crimes related to Mirai botnet attacks, the Dyn attack was launched by another party, and with Mirai’s source code out on the open internet, others have begun using it to build their own botnets.
One such example is the Reaper botnet, which is based partially on Mirai’s source code. This new threat is even more dangerous, due to the way that it harnesses known security flaws to hack in and spread itself to other devices on the same network.
Numerous other hackers are also trying their hand at modifying and deploying variations of the Mirai botnet. In October of 2018, one singular hacker released a source code for seven Mirai variants.
All of this points to a simple fact: the Dyn attack may have been the largest of its kind, but if we don’t do something about this, it won’t be the last.
How Does Something Like This Happen?
Do you use the same password for everything? Perhaps you just change a letter or a number so it’s easier to remember. Using similar passwords online is a mistake, but if those passwords extend to the devices in your home, you’re even more vulnerable.
One technique hackers use to recruit new devices into a botnet is “credential stuffing.” This is a type of brute force attack that uses one of your passwords and plugs it into numerous accounts until it’s successful.
How did they discover your password? Well, there are a lot of ways, but an easy one is to see if your information was included in a data breach. The website “Have I Been Pwned?” allows you to see if your email was part of any recent data breaches.
A study done by Akami found some pretty shocking statistics about credential stuffing, which is being used by botnets to launch massive attacks on financial institutions like banks. Here are some of their findings:
- 8.3 billion malicious login attempts detected between May and June of 2018 alone
- One botnet can make 300,000 login attempts per hour
- The U.S., Russia, and Vietnam were the largest sources of credential stuffing attacks.
In the case of the Mirai botnet, the malware simply scanned massive parts of the internet looking for open Telnet ports. Once it had targets in mind, it used a variation of 61 different username/password combinations that are often the default for connected devices and are rarely changed.
Just like that, the malware spread to countless devices. Once infected, Mirai scans for other malware on the device and wipes it out, ensuring that it has full control.
What Can You Do?
Beyond the aforementioned website for checking if your email has been involved in a data breach, you can also use a tool from Imperva Incapsula to find out if any devices on your network are part of the Mirai botnet.
Make smarter decisions about your passwords, enable two-factor authentication whenever possible, and most importantly, educate yourself. Blissful ignorance is what got us all into this mess, so stay up-to-date on IoT security and empower yourself with knowledge to protect yourself in the digital world.
Ready to continue the conversation? Check out part two of this series here.
