We live in a world where technology is somewhat an inevitable reality. And why not admit, while we’re at it, that this digital revolution has also greatly increased our everyday comfort? We now have smartphones capable of remote control over an array of other smart objects: from coffee machines to thermostats, from surveillance systems to connected toilets and so on.

We are always connected, perhaps too connected. We are constantly looking for the sexiest and the most user-friendly app in order to make our lives simpler. And as such, we’ve signed a pact with devil without even realizing it. The consequence? We are now heading at the speed of light towards a fusion between humans and machines.

Be it at work or the home, the advantages of such an advanced connectivity with all these mundane devices are more than obvious. However, the question that arises now is how to deal with all these weird emerging protocols?

The continuous standardization of the architecture integrated within these smart devices tips the scale once more in the favor of cybercriminals, who can now more easily ‘capture’ them in their net – botnet, that is. Indeed, connected objects are not that dangerous when taken into account separately, but they do pose a high risk when considered collectively. Especially when this collective capacity is used to launch a DDoS attack.

You’ll probably think to yourself, if someone hacks your coffee machine and configures it so that it only serves you decaf, mornings may turn out as a bit of a challenge. But what if someone uses your coffee machine, along with countless others, to form a zombie botnet army?

The portable PC market is already passed its prime. These endpoints benefit nowadays from a much better protection and, as such, computer-based botnets will slowly fade out of the picture. That being said, what are DDoS attack amateurs left with? #wink The rise of the machines offers them a new opportunity in the creation of bigger badder botnets, with less effort and more difficult to detect. We assure you, though, our tone is not to be mistaken – this is not advertising, it’s merely a cold statement of how things are.

Humans VS Machines

Now that we’ve established why IoT-based botnets are « in » at the present time, we shall proceed with illustrating a more concrete example.

On September 20, a DDoS attack of biblical proportions was launched against the krebsonsecurity.com website, the famous blog of one of the most acclaimed journalists in the domain of cybersecurity – Brian Krebs. We’ve already covered the principle of a DDoS attack conducted using a zombie botnet in one of our previous articles, therefore we will not dwell on the matter. The following paragraphs will however complete the details of the incident:

According to public records, what Krebs’s website went through and lived to tell the tale is one the most powerful DDoS attacks ever recorded. Whereas, in 2015, the record was of 500 Gb/s, his blog took full-on a blow of no more, no less than 620 Gb/s. After a few hours, the sole pressure of the attack started to have an impact on the other clients which had subscribed to the same protection service as Krebs.

Forced by his surroundings, the latter had to redirect his traffic towards what we call the internet black hole, or the localhost 127.0.0.1. This literally means that krebsonsecurity was temporarily deleted from the web and that the voice of Krebs was silenced… but not for long. Thanks to ‘Protect Shield’, a free service provided by Google to protect journalists against online censorship, the website was up and running in no time.

Conducted by a botnet called Mirai, this digital assault was based exclusively on connected devices: routers, DVRs and IP cameras. The latter were protected using only default usernames and passwords. So it does not come as a surprise that the amount of cameras employed in the attack went up to 1,5 million, ten times more than the number recorded during the recent attack against the French hosting company, OVH.

The source code of the malware used in order to infect 1,5 million IP cameras was published online on the Hackforum community. As a renowned investigator in the field of cybercrime, Brian Krebs traced its publication to a user called Anna-Senpai. Meanwhile, the code of another botnet called LizardStresser, also based on IoT devices, was published on an online forum.

This practice is not at all random, as sharing malicious code enables other hackers to contribute to its development. Yes, indeed, nothing is original anymore, even in cybersecurity. Hence, hackers from all corners of the world can now try to improve and reuse the source code in order to coordinate more frightening attacks.

Rage against the Machines

All is well that ends well… but that doesn’t stop us from thinking: if we are not a part of the blogosphere neither of an industrial giant, how can we ever face such an attack backed by millions of connected objects?

Whereas the process of securing the IoT is concerned, smart devices are barely at the second phase of this dangerous cycle. We have witnessed until now the wonder, just to be hit by a cold shower in the aftermath. Vulnerabilities are being discovered by the minute in the IoT universe and this is something that manufacturing enterprises need to immediately become aware of and take action. But what are we to do in the meanwhile? Just stand by and wait for them to finally integrate security features in their product design? It’s time we took matters into our own hands.

Generally speaking, IoT botnets are much easier to build than regular botnets as developers can always take advantage of the remote internet connection protocol a.k.a the telnet. The bonus with the Mirai botnet is that hackers designed it not only to exploit this vulnerability, but also to encrypt the traffic in-between smart objects and the C&C center. One more element to worry about, besides the fact that Gartner just predicted an obscene number of connected devices by 2020. Five years from now, planet Earth will have at least 6,4 billion of them.

In this case, how could we make our contribution in stopping this infection from getting worse? To break the chain between smart objects and the botnet C&C, one must simply reboot said devices and, as a consequence, wipe out all traces of the malicious code. Unfortunately, hackers scan the web continuously for new vulnerable systems and, unless properly protected, IoT devices will just end up infected again. The only way to truly impede this zombie virus from getting out of control is, wait for it… by changing the default password.

Such a simple measure, yet so effective. It might even prevent the Zombie Apocalypse.

(About the author: Cristina Ion is community manager at ITrust SAS. This post originally appeared on her blog, which can be viewed here)

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access