What’s keeping Stanford professor Zakir Durumeric up at night? It’s the risk that your smart appliances, connected TV, Wi-Fi printer, and ISP-provided router are being co-opted by diabolical botnets seeking to stage their next global DDoS attack. Top researchers from Stanford University and Avast Software have taken a look at the growing risks posed by lax consumer IoT security and are presenting their findings at the USENIX Security Symposium in Silicon Valley, August 14-16.
The research team conducted antivirus scans of 83 million IoT devices across 16 million households worldwide and found the security posture of many common devices in the home to be alarmingly weak.
These devices spanned a wide range of categories, including computers, routers, mobile devices (smartphones and tablets), fitness trackers, game consoles, home automation (Nest-like devices), external storage, surveillance cameras, work appliances (printers, scanners, etc.), voice assistants, connected cars, TV and media devices, smart appliances, and other connected devices (such as smart lightbulbs).
The study found that more than a third of homes across the globe contain at least one IoT device. Adoption is more pronounced in North America, where two-thirds of homes have at least one IoT device and a quarter of homes have three or more. Despite known risks, the proliferation of easily hackable IoT devices has only grown since the 2016 DDoS attack of the Mirai botnet.
In what is considered the largest botnet attack in history, on October 21, 2016 Mirai took down much of the internet, including Swedish government sites and popular ecommerce and media sites like Airbnb, Amazon, CNN, EA, GitHub, HBO, Netflix, PlayStation, Reddit, Shopify, Spotify, Twitter, Visa, and Walgreens. Most surprisingly, the malware was not masterminded by a terrorist group seeking to attack U.S. interests; it was created by a couple of teenagers at Rutgers University seeking to knock off a bunch of Minecraft servers to increase traffic to their own.
They created Mirai by scanning blocks of the internet for open ports on insecure IoT devices and logged in with a list of common default passwords. They were then able to bombard servers with traffic until they crashed. It’s a simple concept that takes advantage of glaring vulnerabilities, yet it has the potential for enormous ramifications. According to Dyn, the domain name service (DNS) provider that was attacked, Mirai was estimated to have 100,000 malicious endpoints and 40-50 times the normal amount of packet flow bursts.
The weakest link
Although a lot of attention has been focused on protection against possible security risks posed by hot new tech products — including smart locks, voice assistants, and home automation — Avast CEO Ondrej Vlcek explained to VentureBeat why Alexa is not likely to bring about an IoT Armaggeddon.
“Amazon and Google are technology-first companies with vast engineering resources focused on security, and thus we’re not as worried about Alexa from a security standpoint,” he said. “The bigger concern [is] products connecting to the network that are made by companies who do not understand network security and do not have it as a priority.” He said that pretty much anything you can control with an app that connects to your home system is a risk.
The study found that the worst offenders are devices that have been sitting in homes for the past decade — smart TVs, printers, game consoles, CCTV surveillance cameras, and especially the ISP-provided routers most homes use to connect to the internet. Many of these devices are using obsolete FTP and Telnet protocols with open and weak credentials — the same protocols that gave rise to the Mirai botnet.
Durumeric warned, “It’s the most boring devices we have the most to worry about, not the shiny new ones getting all the news.”
War against the machines
The only encouraging finding of the study is that 90% of all devices globally are manufactured by just 100 vendors. Durumeric said that by presenting this study the researchers hope companies like Comcast, HP, Roku, PlayStation, and others will take steps to ensure their products are secure. Additionally, California law SB327 is going into effect to make preprogrammed default passwords illegal by 2020.
It’s a step in the right direction. But while the makers of consumer IoT devices play catch-up, there are several things enterprises can do right now to protect their networks, including installing IoT antivirus software.
“To address the associated security risks, enterprise IT managers must first ensure that IoT devices on the network are not using obsolete protocols like Telnet or FTP, and check that their admin interfaces have strong passwords,” advised Rajarshi Gupta, VP and head of AI at Avast. “Other best practices include network segmentation — separating IoT devices from key corporate subnets — to reduce the total attack surface, and regularly scanning your IP space to ensure that IoT devices are not exposed to the internet (through port forwarding or other means).”