On July 3, Cloudflares global DDoS protection system, Gatebot, automatically detected and mitigated a UDP-based DDoS attack that peaked at 654 Gbps. The attack was part of a ten-day multi-vector DDoS campaign targeting a Magic Transit customer and was mitigated without any human intervention. The DDoS campaign is believed to have been generated by Moobot, a Mirai-based botnet. No downtime, service degradation, or false positives were reported by the customer.
Almost 2 and a half months have passed since this article was written, regarding the infamous Mirai IoT Botnet. According to the OWASP Internet of Things (IoT) top 10 vulnerabilities from 2018, that long ago, the top risk was weak, guessable, or hardcoded passwords.
IoT devices can easily get compromised by weak passwords. As seen with SSH, passwords can easily get brute-forced. The same goes for a lot of companies providing online services, such as Microsoft, Apple, and Google, who provide multi-step or multi-factor authentication for various things. Since we have proven-reliable ways to improve our technology, why do so many IoT devices do the opposite?
Weak or easily guessable passwords (such as dictionary words) that are set by the user arent necessarily the device manufacturers fault, although it would be in their best interest to enforce limits on how weak a password can be.
According to HIPPA Journal, 1 in 5 enterprise users set weak passwords. For enterprise IoT devices, chances are a weak password was set for it as well. If this isnt bad enough, a study done by LastPass has shown that there are real-life risks of re-using the same passwords, which showed that:
- 91% of those surveyed know its risky to reuse passwords, but 61% of them do it anyway.
- Their top reason for changing a password? They forgot about it.
- Only 29% of respondents change their passwords for security reasons
If an IoT device doesnt need a specific network-related service that is enabled on it, that service should get removed. Having these services will compromise that device or other devices on the same network. If the device accesses insecure APIs, cloud servers, or other interfaces, issues such as a lack of authentication or encryption can open up the device/network to additional problems. Similarly to insecure network access, insecure data transfer and data storage can make it easier for data breaches to occur from the IoT device itself.
For every so many recent Windows 10 update-related issues, theres an IoT device out there without a secure way to deliver and/or install updates, validate the installed firmware, a lack of anti-rollback mechanisms for security fixes, and a lack of notifications if security settings got changed. Microsoft Windows 10 (and versions before it), due to the operating systems use size and importance in many environments, needs to have a secure way to deliver updates. If Windows 10 can have secure updating, shouldnt our IoT devices do the same? Given the wide arrange of use cases for IoT, secure updating should be a top priority.
Similarly to a lack of updates, reliance on obsolete or outdated components with known vulnerabilities could easily lead to the devices that the software runs on getting compromised. Such an issue can be exploited for unauthorized/unwanted access to a device. Additionally, using insecure customizations to the operating system or untested third-party operating systems and/or software can also compromise a device.
If an IoT device gets shipped with insecure default settings, especially if there isnt a way to manually set these settings, there may be near-permanent security holes that the device administrator wont be able to fix themselves. Along with a lack of hardening measures, attackers will be able to easily gain information that can help with further attacks, stealing data from the specific IoT device or other devices, among many other issues.
In the highly Internet-connected world that we live in, especially with the risks of COVID-19 keeping many people doing things online-only, cybersecurity for our PCs and IoT devices alike has potentially become more important now than ever. If devices people use in their daily lives can easily become launch pads for attacks, as seen with Moobot and other botnets, we should be taking a look at what were using. Likewise, the companies making those devices should take a look at improving the services and products they provide, since such issues reflect poorly on the company, its employees, and directors.
Originally published at https://www.antonmcclure.com on September 16, 2020.