IoT
12/5/2016
09:00 AM
Troy Dearing
Troy Dearing
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Reality Check: Getting Serious About IoT Security

The Department of Homeland Security is fully justified in urging security standards for the Internet of Things.

In an effort to curtail a new and disturbing cyberattack trend, the Department of Homeland Security has placed Internet of Things (IoT) device manufacturers on notice. The recent proclamation clarified how serious the agency is about the issue and how serious it wants corporate decision makers to be. In short, the DHS "Strategic Principles for Securing the Internet of Things" acknowledges the gravity of the current climate and the potential for greater harm by encouraging security to be implemented during the design phase, complete with ongoing updates based on industry best practices.

How this effort could affect upcoming product releases is yet to be seen, but these questions remain: How secure must products be before delivery to consumers? Will the liability of insecure Web devices translate to a burden for consumers unaware of proper security? This uncertainty could cause problems for those who produce or use IoT devices.

This move by the DHS was necessary. The recent Dyn DDoS attack made the susceptibility of these devices clear, and the sheer destructive potential makes the risks impossible to ignore.

An IoT Experiment
To determine the severity of the problem, I wanted to see how quickly an IoT device would be attacked once it was connected to the Internet. Would a user who bought an IoT webcam or printer have enough time to set up and securely configure the device before an attacker would compromise the device?

To help me answer this question, I had a couple of choices; I could purchase an insecure IoT device and monitor the activity targeting it, or I could configure a virtual device that would appear to an attacker to be a vulnerable IoT device fresh out of the box. This technique of luring attackers to monitor their efforts and techniques is known as a honeypot. Researchers have been using honeypots for years to study the way attackers gain access to a vulnerable device, as well as what they do after the exploit. I opted for the honeypot route, but it had to be set up just right.

The vast majority of the devices targeted by Mirai are running a stripped-down version of the Linux operating system, developed for multiple architectures (MIPS, ARM, x86, etc.). These machines generally run a tool called BusyBox — "The Swiss Army knife of embedded Linux," as developers refer to it. This single binary allows for the execution of more than 300 commands, cutting down on the space required of an operating system on an embedded device. Space isn't an issue for a honeypot, but it was important to have executables that are used by the code we saw when Mirai was made public.

I opted for a Debian Linux distribution, with BusyBox available just in case. I configured the honeypot to have the same ports open that these devices generally have — 23 and 80. After the configuration was complete, including setting up the same credentials seen in the recent attacks, it was time to find out how long people would have to secure a new IoT device that was connected to the Internet.

It turns out they wouldn't have much time at all. In less than 10 minutes, the honeypot was hit with 13 brute force attacks. After an hour of being online, it had been attacked 551 times, with more than 10 unique attackers having interacted with the honeypot. I continued to monitor all activity for the rest of the week. When I finally shut down the honeypot, it had been subjected to 2,665 brute force attacks and more than 108 sessions where there was an attempt to gain access. Some of those sessions resulted in malware being downloaded.

The Evolution of Mirai
The analysis of the malware wasn't what I expected. I was hoping to see the Mirai source code, but it was new code based on Mirai. It had only been a few days from the release of the source code and someone already had repurposed it and made minor tweaks — and here it was sitting on my IoT honeypot. This was a reminder that we shouldn't focus on a single signature when looking for follow-on attacks; if I had only looked for binaries that should have been downloaded by Mirai, I could have missed these new threats.

Based on my experiment, it's obvious that the DHS directive was needed. More must be done by device manufacturers to provide a modicum of security before release.

What Users Can Do
Fortunately, there are ways to ensure that network devices stay under user control:

  • Change default passwords. The devices compromised by Mirai had default credentials still in place, many of which consisting of the username "admin" or "root," and the password "admin" or "password." Users should ensure that any device deployed to their network has the default password changed.
  • Disable remote administration. By default, many devices allow for remote administration outside of the internal network. Administrative tasks should be performed internally if possible.
  • Keep firmware up to date. Because of the recent attacks, manufacturers are expected to release firmware updates to products to close down security holes, preventing subsequent attacks. By default, these devices require user interaction to apply these firmware patches. Make sure that before installing the latest firmware you back up the current working firmware and have it locally in case the update fails, so you aren't left with a broken device.

Related Content:

 

Troy Dearing (Gunnery Sergeant, Retired) joined Armor as a senior ethical hacker, bringing 20 years of expertise in IT and cybersecurity to the Threat Resistant Unit (TRU). Before joining Armor, Troy was a computer network operator for the NSA, where he was tasked with ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CharityWright
100%
0%
CharityWright,
User Rank: Apprentice
12/6/2016 | 11:58:46 AM
Great Report!
Troy, great work man! So happy to see your work published here on DarkReading. The security world will benefit from your knowledge and experience. I really love that you set up an IoT honeypot to evaluate the time it takes to get hit. Many organizations are struggling to get a grip on Mirai and Bashlight malware. Thanks so much for your insight and recommendations!
Mark.Baugher
100%
0%
Mark.Baugher,
User Rank: Author
12/6/2016 | 8:35:55 AM
Is DHS the right agency to regulate security?
Great article, thanks!  Both Schneier and Krebs have called for regulation of devices that connect to the Internet - or any network since practically all connect to the Internet.  This raises the questions of who and how.  Krebs thought a UL type of organization is a promising approach.  Such testing and certification can be voluntary or mandatory, but I favor the latter.  Who should do iis a difficult question given the anti-privacy bias of the US government.  It's hard to trust any government agency to regulate a cyber-security function when leading government organizations in this space want to mandate backdoors in hardware and software.  There is a trust issue.

Don't get me wrong, the DHS is doing some good work in this area such as NCATS, the National Cybersecurity Assessment and Technical Services, https://www.us-cert.gov/ccubedvp/federal.  In pursuing NCATS for my company's products, I encountered some pushback from a couple of our most knowledgeable security engineers.  This is understandable given the role of the NSA and other government agencies in subverting the security of US-made networking products.  The blowback of these activities, many of them revealed by Edward Snowden, continues to plague US businesses.  For example, I recently had a European customer tell me that AWS was not suitable so long as US engineers have access to datacenters serving their customers.

Regulation of network gear is indeed necessary and overdue, but how to regulate and who will do it remains a problem.

 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.