Hacking is a term that most people will associate as an attack against them directly. A criminal is after my data, my identity, my files and I need to do what I can to protect my stuff. That is no longer the situation in the interconnected world that has been built. There are criminals looking to get your data, but recently the attacks on “Internet of Things” (IoT) devices are showing something far more powerful is being attempted. The last two major IoT device hacks have changed the way we think about how these devices can be used in an attack.
The Mirai bot is a piece of malware that was spread to vulnerable devices, mainly cameras and other low powered internet enabled devices. In 2016 the bots were triggered to attack the back bone DNS of major providers that disabled internet services on the east coast of the United States. This attack sent thousands of devices to hit a target in a Distributed Denial Of Service (DDoS) to take a site down.
Although the bots were running at the same time they were not collaborating, yet. Miari has since evolved to work in more of a partnership to mine bitcoins. The effectiveness of this approach to actually get coins is poor because the devices themselves do not have the processing power to do much. The authors of the malware would know this, so why would they go through all the trouble to write it into the malware? The concerning answer is it was a proof of concept to get the malware in the wild to work together.
Another recent IoT attack used an old vulnerability in home network routers. The vulnerability is known as the Misfortune Cookie. Approximately 12 million devices on the Internet are vulnerable to this attack. The exploit attacks the web interface known as RomPager v4.07 running on port 7547. A Shodan search shows that 47 million devices have that port open to the Internet. Vulnerable routers were infected with malware recently and began coordinated attacks against WordPress sites. Like the Mirai this was a distributed attack.
The next evolution of IoT hacking is coordination. Using the devices together in one distributed quasi-supercomputer. This concept already exists and has been around for 10+ years. If you are familiar with SETI@Home you have seen what could be done with IoT hacking. SETI@Home is a voluntary project where users can use their unused processing power of their computer to crunch on data from SETI to find ‘aliens’. A massive distributed computing project aimed to speed up calculating and analyzing all the radio data they bring in. What could happen when your device’s computing power is used in this way?
Think about a home router attack. The top rated home router right now is the Netgear Nighthawk series. This router is very powerful for being a WiFi router. This device is basically a mini-computer and has a processor just as powerful as most laptops, a 1.7GHz Quad Core. As time goes on, as broadband gets faster, HD and 4K video get more popular, the power of the network devices will have to keep up to process all that network data. If you are an IoT hacker and found a zero-day vulnerability for one of these devices, you would have access to tens of thousands of high powered processors. Instead of attacking websites perhaps the power could be used to crunch an encryption key, brute a password hash in a fraction of the time, mine bitcoins, flood the stock market with bogus trades, and so on. Sending a 100,000 devices to hit a source at a specific time is one thing. Have 100,000 working clustered or in parallel on a specific computing task is something different. Since this scenario is not ‘attack’ toward a site I would bet external detection would be nearly impossible unless performance of the router is seriously degraded.
The other unfortunate benefit to the criminals is the IoT devices and home routers are often forgot about in the patch cycles. Unlike Windows or MacOS, those devices generally do not auto update. Most users probably don’t login to their admin consoles regularly or at all after install. The rest probably don’t realize they should check for updates or how to apply them. That leaves vulnerabilities like the Misfortune Cookie to stay in the wild for years and years.
This is the future of the IoT attack landscape if it isn’t happening already. There are indications that the criminals are beginning to think about it and test it in the wild.
With IoT ownership come IoT responsibility, today there isn’t much… from the owners or the creators.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.