Experts have long warned that the inherent lack of security in many of the devices that make up the Internet of Things (IoT) would come back to harm us in the end. Now there is firm evidence that hackers are exploiting weak and default credentials on embedded devices to create botnets that are the sources of DDoS attacks.
Closed-circuit television cameras are among the most common devices on the IoT today. In October it was discovered that about 900 video surveillance cameras designed to protect businesses had been organized into a botnet. Apparently hackers took control of the IP-enabled cameras by using default or weak credentials. The attackers then directed the botnet to hurl an HTTP flood at a resource on a large cloud service. The attack peaked at 20,000 requests per second.
In this case, the compromised cameras were running embedded Linux with BusyBox, a package of common UNIX utilities. Security researchers that analyzed one of the cameras concluded it was infected with malware known variously as GayFgt, Lightaidra or Bashlite. The malware scans for network devices running BusyBox and then uses a brute force dictionary attack to overtake them.
This incident portends an ominous future for DDoS attacks via the IoT. As hundreds of millions of poorly secured Internet-enabled devices come online in the years ahead, we can expect to see malicious actors exploit this dramatically expanded threat surface to create unconventional botnets from which to launch attacks.
Preventing and mitigating the exploitation of the IoT is going to take quite a concerted effort. Device manufacturers and firmware and software developers need to build strong security into the devices. Installers and administrators need to change default passwords and update and patch systems – if this is even possible – when vulnerabilities do arise.
Some industry groups are beginning to look at frameworks and standards to address IoT security. The International Organization for Standardization (ISO) recently established a special working group (SWG) to look at the feasibility of updating the ISO 27000 series of standards to include new security requirements associated with the IoT. As the official U.S. member to ISO, the American National Standards Institute (ANSI) is calling for U.S. expert stakeholders to get involved in this new area of activity.
At the same time, the Institute of Electrical and Electronics Engineers (IEEE) also has a working group that is working on an architectural framework to address IoT security, privacy and safety issues. In addition, various vendor alliances have formed to address different aspects of IoT security.
Until these efforts bear fruit – and it will take years – we are bound to see more and more events like the attack via the camera botnet. All you can do is put up your defenses and stay on guard.