In this series of posts about Security in IoT, I try to clarify the following questions:
Is our IoT devices secure enough against different attacks and how we can measure it?
How can we improve it?
What are the most common backdoors in IoT devices?
How we can detect the vulnerability of IoT devices?
What are the most common vulnerability in home appliances?
How hackers attack IoT devices?
Are new system secure enough from attacks?
Basically, this topic has different aspects, so, before jumping into some of them, I will start with the motivation of hacking a system by hackers and continue with some basics of security in this post and will go deeper into it in further posts.
What Hackers want
A hacker can hack a system for different reasons, earlier it was for bragging rights, but nowadays, these attacks are carried out by organized criminals for financial gains or for revenge or extortion or activism2. Besides that, IoT devices are collecting different information such as financial, health, etc. about users and organizations which is important, by hacking these devices hackers could access these data.
Why IoT Devices are good for attacking
There are five main reasons IoT devices are particularly advantageous for creating botnets/malware:
They are constantly connected to the internet and operate 24/7.
Due to rush to the IoT market, many device vendors neglect security in favor of user-friendliness usability.
They often have poor maintenance.
Considerable attack traffic. Contrary to common belief, IoT devices are powerful enough and well situated to produce DDoS attack traffic comparable to that of modern desktop systems.
Noninteractive or minimally interactive user interfaces. Because IoT devices tend to require minimum user intervention, infections are more likely to go unnoticed. Even when they’re noticed, there’s no easy way for the user to address them short of replacing the device 2.
In the next section, I will introduce the most common attacks for IoT devices.
Common attacks for IoT devices
Basically, there are two common types of attack for IoT devices, namely software and hardware attack. The following are most five common IoT attacks:
Denial of Service
Data & Identity Theft
Social Engineering is a kind of attack that based on human interaction and involves manipulating people to breaking normal security in order to access to network, systems, physical location or financial gain6.
Man-In-The-Middle Concept(MITM), in this attack, attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other7. For instance hacking of a Jeep Cherokee10.
In the next section, we will focus on DDoS and Botnets and how malware orchestrates a DDoS attack.
One of the most popular attacks is a Denial-of-Service attack in which the attacker tries to make the server or network unavailable to users. This can be done by disrupting services on the server side, for example, an attacker will flood the server or service/resource by so many requests and consequently, the system will be overloaded, and prevention services to be fulfilled.
For testing this kind of attack, you can use programs below:
LOIC (Low Orbit Ion Canon)
This simple application can be run/implemented in IoT devices as well. The challenge is just bringing code inside IoT devices.
Difference between DoS and DDoS attack
In DoS attack, just one user/computer do the attack against the server and, basically, it is not dangerous anymore, because the server will detect it and will close the connection with that specific user/computer. The following picture shows an overview of a DoS attack.
What if a DoS attack comes from multiple sources simultaneously? This attack called DDoS or Distributed-Denial-of-Service. In this attack, multiple computers try to overload the server by requesting services. The result is that normal users can not access the service.
The idea is to attack a server using IoT devices and the architecture of DDoS attack using IoT devices would be something like the following picture.
In this attack the following steps will be done:
(1) Attacker tries to upload malicious firmware to IoT devices either by hardware or software hacking => IoT device may dead
(2) Start communicating with the malicious server or download malware and become a botnet.
(3) By sending attack command by a hacker or malicious server, IoT devices start overloading a server by requesting services
(4) Users will be lost connection to the server as well as IoT device
Famous DDoS Attack
GitHub: On Feb. 28, 2018, GitHub was hit with a sudden onslaught of traffic that clocked in at 1.35 terabits per second11.
DynDNS: a lot of popular online services – including Netflix and Twitter – use DynDNS as a backbone to grant users access to their platforms. Due to this unprecedented DDoS attack executed by the Mirai botnet, none of these services were operational for nearly 24 hours12.
BBC: on December 31 of 2015, the BBC website was successfully taken down by a group known as the New World Hacking. Their massive DDoS attack took down the BBC site and even affected Donald Trump’s homepage as well12.
OCCUPY CENTRAL, HONG KONG: the PopVote DDoS attack was carried out on June of 2014 and targeted the Hong Kong-based grassroots movement known as Occupy Central.
Types of DDoS Attacks
Volumetric Attacks. This is the most common type of DDoS attack which we have described so far.
Application-Layer Attacks. This attack aims the topmost layer of the OSI network model which is the closest to the user’s interaction with the system. Attacks that make use of the application layer focus primarily on direct Web traffic. Potential avenues include HTTP, HTTPS, DNS, or SMTP9.
Protocol Attacks. A protocol attack focuses on damaging connection tables in network areas that deal directly with verifying connections. By sending successively slow pings, deliberately malformed pings, and partial packets, the attacking computer can cause memory buffers in the target to overload and potentially crash the system. A protocol attack can also target firewalls. This is why a firewall alone will not stop denial of service attacks9.
DDoS as a Service – DDoSaaS
In 8, researchers have reported 138% increase in DDoS attack with traffic more than 100 Gbps which involve IoT devices and easy availability of commercial DDoS service or DDoS as a Service for hire. For instance, it is possible to order a 5-6 Gbps DDoS attack lasting 10 minutes for 6$. DDoSaaS also know as booter or stresser can be used for knocking websites offline or perform stress tests on different network infrastructures. Most common attack tools for these purposes are as follow:
Shenron Attack Tool, it offers eight different packages which the cheapest one costs $ 19.99 and launch a 35 Gbps attack for 20 minutes with UDP and TCP traffic.
vDOS Attack Tool, it has thirteen different attack vectors available for DDoS Attack. The cheapest one costs $19.99 and gains access to 216 Gbps attack shared network.
how to orchestrate IoT devices in order to participate in an attack? The simple answer would be using malware(Malicious Software). So if the IoT device gets malware (become a bot) and joins the network of infected devices which called Botnet. Then they will get data and time of attacking to the specific server from a malicious server.
characteristics of IoT malware
Most of the IoT malware are Linux based malware.
Majority of the IoT malware has limited or no side effects on the performance of the host. They become active and perform DDoS on certain command from its botnet herders.
Many IoT malware resides on IoT devices’ temporary memory (RAM).
Most IoT malware does not use reflection or amplification techniques to launch an attack, so it is much difficult to recognize and mitigate the attack using the conventional methods.
Volume of traffic floods generated by IoT botnets are very high, in the orders of 100 Gbps or higher, in comparison to conventional PC botnets.
The location of the infected IoT devices are distributed all around the world (see figures 8 and 9 ).
Apart from generating commonly used traffic floods, namely, HTTP, TCP, UDP traffic, some IoT botnets generate unconventional traffic like GRE traffic and use uncommon “DNS water torture” technique during DDoS attacks.
Here is the list of malware that has been used in IoT devices:
Linux/Hydra is targeting IoT devices and is open source which is released in 2008.
Psyb0t is targeting Routers and DSL Modems used in 2009. Operated by IRC (Internet Relay Chat). It will effect IoT devices through Telnet and SSH access. It has 6000 usernames and 13000 passwords.
Chuck Noris is like Psyb0t. It can attack D-Link routers.
Tsunami is based on IRC bot which modifies DNS server setting of IoT devices in a way that it redirects traffic to the malicious server.
LightAidra/Aidra is an open source malware based on IRC and supports different microcontroller architectures such as MIPS, MIPSEL, ARM, PPC, x86/86-64 and SuperH. It looks for open ports that could be accessed through known credentials.
Carna is used to get an estimation of the IP address usages and measure the extent of the internet.
Linux.Darlloz spreads by exploiting an old PHP vulnerability to access a system and privilege escalation through default and common credential lists. It also supports a wide range of microcontroller architecture such as x86, ARM, MIPS, MIPSEL, PPC. After infecting the device, it drops the telnet traffic via iptables configuration and terminates the telnetd process to block users from accessing the infected device using Telnet. Symantec found that Darlloz has infected more than 31000 devices by February 2014 3. A newer version of Darlloz uses infected devices to mine crypto-currencies (Mincoins and Dogecoins) 3. Like Carna botnet, Darlloz also targets specifically LightAidra. It attempts to remove files and block any communication ports used by LightAidra.
Linux.Wifatch infects IoT device with weak or default credentials. Once infected, it removes other malware and disables telnet access.
TheMoon attacks specifically Linksys routers and exploits a command execution vulnerability while parsing ′ttcp_ip′ parameter value sent in a POST request. Command-and-Control servers (C2s) of the malware is capable of using SSL for end-to-end communication with their bots 4.
Spike / Dofloo
Mirai Malware (Botnet)
Mirai is a software that turns networked Linux devices to the controllable bot. So remote computer or malicious server can access them. In October 2016 hackers accessed thousands of IoT devices and took control of them and used them to flood the servers of important internet companies with malicious traffic. Today, Mirai Botnet is not limited to the IoT devices, which are not secure enough, but also they can be dangerous for unpatched Linux Server through the vulnerability in Hadoop Yarn13. The Apache Hadoop software library is a framework that allows for the distributed processing of large data sets across clusters of computers using simple programming models14 and Apache Hadoop YARN is the resource management and job scheduling technology in the open-source Hadoop distributed processing framework15. Due to the Hadoop YARN vulnerability, the attacker can run any command from Shell and therefore Linux malware can be installed13. Key findings of this Mirai Malware are:
Mirai botmasters that target Linux servers no longer need to tailor their malware for strange architectures, they assume their targets are using x86.
Rather than rely on the bots to propagate, the attackers have shifted their tactics to issuing exploits themselves. A relatively small number of attackers are using custom tools to exploit the Hadoop YARN vulnerability and deliver Linux malware.
Even if the victim Hadoop YARN server is not running the telnet service, the Mirai bot will attempt to brute-force factory default credentials via telnet.
Linux servers in data centers have access to more bandwidth than IoT devices on residential networks, making them much more efficient DDoS bots. A handful of well-resourced Linux servers can generate attacks that compete with a much larger IoT botnet16 and 17.
In the next post, I will continue with Mirai Malware, and discuss the vulnerability of IoT devices which run Mongoose OS for communicating with AWS IoT.