The Internet is a constantly changing, living organism. With the tremendous growth of Internet connected devices, we are seeing this living entity enter into a sort of “adolescence” as it struggles through this massive influx of new hosts.
Similar to our own bodies, cells of the Internet are attacking other cells (sometimes on an exceedingly large scale) at the click of a button.
Anatomy of the attack
At 7 a.m. ET on Oct. 21, 2016, major websites like Twitter, Spotify, Etsy, Netflix and GitHub were all either knocked offline or suffered from serious service degradation. How was this accomplished? Dyn, one of the largest IPM (Internet Performance Management) companies in the country, was targeted with a Distributed Denial of Service attack. Flooded with bandwidth-crushing amounts of garbage traffic, it took Dyn a good part of the day to restore services.
But where did all of this traffic originate? From your neighbor’s security camera? The printer at your kid’s school? Your grandmother’s freshly purchased DVR? All of these devices are potential conscripts, or “zombies,” just waiting to be utilized as a collective Ion Cannon to blow some website offline for an imagined slight you know nothing about.
How can I prevent my devices from being used like this?
There are lots of potential negatives with your new cloud-connected refrigerator being converted into a Denial of Service zombie. Besides the damage this does to the targets, these attacks also affect your local bandwidth, clogging up switches and routers in your home as they repeatedly perform their malicious mandate. They can even become unable to perform their original purpose if they are being used as an assault puppet to attack Netflix over and over again.
Then there are the additional security concerns. A hacker has penetrated a device that lives on your internal network, right next to all of your other devices, which probably consider traffic from this device to be internal and potentially “safe.” Besides, if they figure out a way to turn your fridge off, you won’t have milk for your coffee tomorrow.
To address these concerns, we need to start practicing safe deployment procedures for these devices, just like we would any other bastion host or forward exposed server. You should secure your jukebox before it begins attacking government agencies on-demand while simultaneously streaming Pearl Jam for your dinner party guests.
- Use more secure passwords.
I put this as the first step for a very important reason. Everyone knows the password to your device right now. I can find out the default password with a simple Google search. Do not plug any device into your network until you have updated default passwords to something more secure. Use a password with sufficient entropy to prevent brute force penetrations. You have no idea how this vendor has decided to encrypt your password. Do not reuse passwords across devices. To make your life easier and try to relieve your password fatigue, we wrote a Playbook for Password Complexity.
- Don’t connect the device unless you need to.
Plenty of devices are being developed today to join the Internet of Things (IoT). Not necessarily all of them should be. If there is not a need for your device to have external Internet access, don’t allow it!
- Firewall unnecessary traffic.
Just like any other application server, this device should be behind your firewall, preventing unwanted access. If you have no need to access administration from outside your network, there should be no external access to this device. Manage your web cameras from inside your internal network, and do not provide an external avenue to access the management interface. If you absolutely must allow traffic through the firewall, try to reduce the range of IP addresses allowed to access this service. Your password strength is much more important in this scenario, as well. We don’t want just anyone to be able to login to your security system. If this device does not implement password protection for the service, do not expose it, period.
- Demilitarize your IoT device.
Even if you have restricted all inbound traffic to this device, consider deploying devices like these to a demilitarized or stand-alone network that blocks traffic to your other devices. This way, when your new Smart TV is capered, it can’t then be used to attack your laptop or other devices on your internal network.
- Update to the latest firmware and install any vendor-provided updates.
With their exceedingly high output, vendors are struggling to keep up with the vulnerabilities being discovered within their devices. Several of these devices are being penetrated using attacks that are leveraging vulnerabilities that have been identified and patched for over 10 years! Update your device’s firmware to the latest version you can acquire from your vendor, and then apply all software patches they have available.
- Disable universal plug and play.
With so many vulnerabilities present in UPnP, there is a potential for a hacker to identify devices beyond your local network. While this protocol is very cool for connectivity, it is frequently best to leave it disabled.
- Do not integrate with cloud services unless it provides a benefit you are actually using.
Some devices don’t work without their cloud integration (something you should consider before purchasing). This requirement alone forces you to plug into your network. If you don’t have a need for the functionality provided by these cloud services, leave them off, and your device disconnected. There is no reason to introduce vulnerabilities into your local network just so you get the latest cool background on your picture frame. (Unless, of course, this is why you bought the picture frame.)
- Monitor your devices.
If these devices are on your network, they have an IP address. Identify this address, and monitor the traffic they generate. There are several ways to do this, but the easiest is usually to look at your firewall. If you see anything unusual, including large amounts of traffic, you should consider disconnecting the device, restoring it and then re-hardening before putting it back online.
- Consider not taking your personal devices to work.
This is a hard one. I’m not trying to say hackers are standing by just waiting for you to carry your cool new Fitbit into the office, but … potential is potential. These devices serve a purpose, and we have to assume some levels of risk in order to be connected to the world, so use your best judgement. Your organization should have policies in place regarding allowed personal devices. Find out what it is and follow it. If there isn’t one, then contact your workplace IT administrator before you connect the device to your work network (and perhaps suggest they develop a personal device policy).
What to do if your IoT device is compromised
So you think your IP camera is potentially attacking Amazon? We can’t have that. They might stop shipping to you if they figure it out, which means your baby monitor just cancelled Christmas. Let’s resolve this one as quickly as possible …
- Take the device offline.
Unplug it from the network and power it down. This will clear any running processes and stop it from generating any new traffic. Depending on the exploit, this device may immediately start the attack the second you power it back up. Don’t apply power until you are ready to perform a firmware reset. When you do power it up, do not have it connected to the network, or demilitarize it in a stand-alone network. If it is a wireless device, disable the wireless functionality immediately after startup. If the device is bogged down, preventing you from doing this due to the malware, temporarily disable your wireless router or change your wireless network password. (At this point, you should probably consider that anyway.)
- Reset the device back to factory default.
Depending on your device, this can be really easy or really involved. Some IoT devices maintain a copy of their original firmware in a ROM you can restore with a simple button press. Whereas, on a Raspberry Pi, you would need to remove the SD card and recreate the disk image. Review your manufacturer documentation, identify the procedure for restoring the firmware and then proceed. If you absolutely must connect the device to the Internet to accomplish this, consider putting it on a new demilitarized network. Only keep it connected for the period of time it takes to perform the firmware restore.
- Change all passwords, including the Telnet and SSH passwords.
Change all the passwords on the device. Some devices don’t update the remote access passwords (i.e. SSH or Telnet) even though they update the web interface password. Review your documentation (and check Google perhaps as well). If there is additional remote access capability, then access your device, and make sure these passwords are changed to something more secure.
- Using the list above, re-harden and then re-deploy your device.
Now that you’re restored back to factory defaults, run through the procedures above to make sure your device is properly hardened, and then bring it back online. After doing so, carefully monitor the traffic it generates to confirm that the malware has been removed.
Any online device is a potential zombie!
Remember that, regardless of the device and its seemingly innocuous purpose, if it is connected to a network, then there is a potential for exploit.
There is no such thing as a 100 percent secure network-connected device, whether it’s a firewall, laptop, camera or toaster. While these new devices don’t fit within our traditional ideas of “network” hardware, they are as vulnerable to attack as anything else and should be managed as such. We assume these mundane devices are secure because we’re used to them being safe, but that is no longer the case once you plug them into your network. Your coffee machine can now download the weather while brewing your morning cup of joe, which is incredibly cool, but not necessarily a safe operation. If we all work harder to educate ourselves and secure and monitor our devices, the collective effort can help make the IoT — and the Internet at large — a more reliable and safe ecosystem.