IoT DoS Attacks – How Hacked IoT Devices Can Lead To Massive Denial of Service Attacks

Finjan TeamBlog, Cybersecurity

Finjan IoT DoS Attacks   How Hacked IoT Devices Can Lead To Massive Denial of Service Attacks

Ever since its inception, the IoT or Internet of Things has drawn widespread criticism for the lack of consideration given to security matters, in the design and deployment of its hardware, software, and infrastructure components. This negligent attitude has resulted in various weaknesses, which hackers and cyber-criminals have already successfully exploited to compromise IoT elements so that they can be misused for various purposes – including the staging of Denial of Service or DoS attacks.

In this article we will take a closer look at the Internet of Things and the growing threat from IoT DoS Attacks.

What are DoS and DDoS Attacks?

A Denial of Service or DoS attack is an attempt by its perpetrator to incapacitate a network or online resource, typically with an excessive surplus of the kind of activity that it would normally attract. This might take the form of authentication requests from registered and prospective users, processor cycles for game-play, messages, download requests, etc.

DoS attacks can succeed in their objective by clogging the data traffic stream to their targets so much that the site or resource becomes unusable, or by overtaxing hardware and underlying infrastructure.

A lone attacker using one machine is unlikely to be able to generate enough data transmission activity to take down anything other than the smallest and least powerfully protected websites. So attackers tend to recruit help in staging DoS attacks – however unwilling.

This help usually consists of a “zombie army”, “botnet” or collective of “bots” – computer systems and devices which have been compromised by malware distributed by the attacker, using phishing or social engineering tactics, malicious advertising (“malvertising”), booby-trapped websites, malware-laden file attachments, etc.

Once installed on an unsuspecting user’s device, this malware effectively cedes control of at least part of their system to the attacker, enabling them to redirect data or network requests to their real target – the website or resource earmarked for DoS attacks.

With the internet allowing cyber-criminals 24/7 access to lay their malware traps worldwide, the victims making up a zombie army can potentially be located anywhere across the globe. And the number of bots could potentially range from a few dozen machines to hundreds of thousands of individual systems.

At the larger end of the scale, botnets may be used to target huge global networks like social media platforms, or even marshaled into specialist units (depending on the sophistication of the malware) to target specific areas on designated websites, in what are known as Distributed Denial of Service or DDoS attacks.

The Role of IoT

As security professionals around the world will confirm, the IoT or Internet of Things consists of a growing ecosystem of responsive and interconnected devices, sensors, software, and infrastructure – much of which has been designed, constructed, and deployed with little in the way of protection against security vulnerabilities and cyber-threats.

So for the orchestrators of DoS and DDoS attacks, IoT hardware, software, and infrastructure represent a potential bonanza, in terms of the number of devices and processes that may be infected with malware and called upon to do their bidding.

As we’ve already suggested, the Internet of Things continues to expand, with the number of its separate hardware components vastly outnumbering the equivalent “populations” of mobile phones, or desktop computing devices. Conservative estimates reckon that by 2020, there will be around 34 billion internet-connected devices, on the planet, the majority of which (24 billion) will be IoT devices. More generous estimates expect the IoT device population to exceed 50 billion by the year 2020.

However, most sources are in agreement that roughly 70% of the most commonly used IoT devices continue to contain software vulnerabilities. And unless that figure can be severely reduced, there may be rough times ahead.

IoT DoS Attacks – How IoT Devices Are Being Hacked

Despite their often sophisticated and commercially attractive exterior design, many IoT devices are constructed from cheap generic hardware components. These chips and firmware typically contain security vulnerabilities which are effectively baked in, and therefore difficult for owners and operators to trace. In addition, the infrastructure and coordination for the wireless issue of firmware and software updates are still at a rudimentary stage. So these unsecured IoT devices are also difficult to upgrade or patch.

The fact that so many IoT devices contain generic components from a relatively small set of manufacturers means that a weakness in one set of IoT hardware is likely to be repeated across a huge range of products. So if one device “catches a cold” it’s very likely that the same infection can be spread to similar IoT devices across the globe – and to any hardware that contains the same unsecured core elements.

With the always-on (or at least, always “listening”), always online, and interconnected nature of IoT devices, they’re in effect being constantly bombarded by all that the internet has to offer – including the malware payloads which can potentially be delivered to the home, office or urban systems of which they form a part.

The lack of filtering that occurs as information passes through servers of the Domain Name System or DNS (which is responsible for matching names to IP addresses on the internet – often for many different organizations at a time) can add to this threat, with information from hacking and cyber-criminal networks making its way through, alongside more legitimate data.

And hackers have been enjoying access to a wider range of resources in recent years, as their own communications channels and the so-called “Dark Web” make tools and software available to them for free, or as market commodities. For example, in 2016 the source code for Mirai, a user-friendly program which enables even unskilled hackers to take over online devices and use them to launch DDoS attacks, was openly released on the Dark Web, in what was the prelude to a new age of vastly accelerated DoS attacks.

IoT DoS Attacks

The Mirai malware scans for IoT devices which are still using their default or factory issued passwords, then ropes them into a botnet which can be used to launch IoT DoS attacks. And in October of 2016, it was used to stage one of the biggest Distributed Denial of Service attacks ever recorded.

Its target was the internet infrastructure services provider Dyn DNS (now known as Oracle DYN), and the attack consisted of a wave of DNS queries from tens of millions of IP addresses. This was made possible through the Mirai infection of over 100,000 IoT devices, including IP cameras, DVRs, cable set-top boxes, and printers.

At its peak, this Mirai botnet included 400,000 bots, and the attack bombarded Dyn DNS with up to 1.2 TBps of bogus traffic, making it impossible for the service to respond to genuine DNS requests from the websites of its customers. As a result, major platforms including Twitter, PayPal, Reddit, Amazon, Airbnb, and Netflix were rendered unavailable to users across the globe, for several hours.

IoT devices and components are currently deployed across a wide spectrum of applications, and their security flaws leave them vulnerable to attack in a range of circumstances and environments, beyond the simple Denial of Service to online consumers. For instance, while flying from Madrid to Copenhagen in November 2017, security researcher Ruben Santamarta was able to successfully reveal a flaw in the Wi-Fi network security of a Norwegian Airlines flight.

Launching the Wireshark network monitoring utility from his laptop, Santamarta observed unusual behavior from the plane’s Wi-Fi network, including the assignment of a public, routable IP address to his internal IP, and the external running of random network scans on his computer.

Closer observation revealed that the aircraft’s satellite modem data unit (MDU) was exposed, and set up with the Swordfish back-door. This mechanism was enabling a router from an IoT botnet based on the Gafgyt malware kit to reach out to the satellite communications modem on the in-flight airplane, scanning for new potential zombies.

This was just the latest in a series of security vulnerabilities affecting satellite communications systems in the aviation and maritime industries, satellite equipment vendors, and other sectors which Santamarta had been following since 2014.

The Growing DoS Economy

As for the future, many of the numbers and much of the activity on the ground actually favor the cyber-criminal.

Since the last quarter of 2017, organizations across the globe have been experiencing an average of 8 DDoS attack attempts each day, largely powered by unsecured IoT devices and the deployment of “DDoS-for-hire” services, which for a fee will assemble a massive botnet and launch an assault against a target of your choice. Access to this thriving DDoS-as-a-Service economy may be had for as little as $20 an hour.

Ransom Denial of Service (RDoS) is also a growing sector, in which companies are extorted for protection money, to ensure that they won’t become the victims of future DDoS or DoS attacks.

Some User-level Interventions to Prevent IoT DoS attacks

For individual and corporate users, there are several precautions that can be taken right now, to reduce the level of vulnerability to IoT Denial of Service attacks. These include:

  • Check your DNS name servers, and where possible increase their number and distribution to allow for diversity and redundancy. This reduces the risk posed by having a single point of failure which can cripple your operations if the service goes down.
  • If you own or operate any IoT devices, be sure to change their default passwords.
  • Disable any Universal Plug-and-Play (UPnP) settings on your connected devices. This setting is enabled by default on all IoT devices and provides an open invitation for malware to infect routers and local networks.
  • Disable any router settings for Remote Management through Telnet, as this mechanism allows one computer to control another from a remote location, and has been used in previous Mirai DoS attacks.
  • As far as possible, keep your network routers and IoT devices updated for their software, firmware, and security patches.
  • Use an online tool like Bullguard’s IoT Scanner, to verify the status of your IoT devices in terms of their vulnerability to Mirai infections. If weaknesses are discovered, get in touch with the manufacturer and/or search for online sources of security patches.

These measures should be regularly revisited, to ensure the continued protection of your devices from IoT DoS attacks.

Share this Post

Finjan IoT DoS Attacks   How Hacked IoT Devices Can Lead To Massive Denial of Service Attacks
Article Name
IoT DoS Attacks | Hacked IoT Devices Can Lead To Massive DoS Attacks
Poor security design of many IoT devices readily allows them to be infected and used as bots in the staging of Denial of Service or DoS attacks.
Publisher Name
Publisher Logo