Greetings, and welcome. This week, a decade-old security flaw threatens nearly a half-billion IoT devices, while hackers use other long-known vulnerabilities to enslave thousands of IoT and other connected devices. What are we doing about IoT cybersecurity? As always, your thoughts, reactions, and suggestions welcome. Just send a quick email to firstname.lastname@example.org. And for more on the IoT and IIoT, check out “DortchOnIT’s Industrial Internet of Things (IIoT) Weekly.” Thanks.
Report: 10-Year-Old Vulnerability Threatens 496 Million IoT Devices
What Happened:A provider of IoT cybersecurity solutions for enterprises released a report that found almost a half-billion connected devices vulnerable to a security flaw first disclosed in 2008.
- As CRNreported, this new warning comes from enterprise IoT security solution vendor Armis. In September 2017, as CRN then reported, the company identified a Bluetooth vulnerability that exposed more than 5 billion devices to attack. Armis claimed some 40 percent of these are IoT devices difficult or impossible to patch or update.
- The latest Armis report claims nearly a half-billion IoT devices are vulnerable to attack via “DNS rebinding, an attack first disclosed at the RSA Conference in 2008.” An attacker gains access to a user’s web browser “through a malicious link enclosed within an email, banner ad or another source.” The technique then “allows an attacker to bypass a network firewall and use a victim’s web browser to access other devices on the network.”
- The resulting damage can be quick and widespread. A successful attack via DNS rebinding “can leave devices susceptible to data exfiltration, compromise and hijacking, the latter of which could lead to a botnet attack similar to the Mirai malware that took down major websites in 2016.” That attack used a huge botnet of IoT devices to flood servers that manage internet addresses with meaningless data and requests. It disabled thousands of web sites, including those of prominent businesses including Netflix and Twitter.
- The potential range of the latest DNS rebinding threat is at least as chilling. Armis claims vulnerable devices “include 87 percent of switches, routers and access points; 78 percent of streaming media players and speakers; 77 percent of IP phones; 75 percent of IP cameras; 66 percent of printers; and 57 percent of smart TVs.”
What It Means:Phishing works. IoT device-level cybersecurity is woefully inadequate. Every user, device, and network is vulnerable.
What You Should Do:Educate yourself, your team, and everyone you know about the vigilance needed to combat phishing attempts. Don’t connect any device without, at minimum, a password you can change to any network to which you have access. Don’t let anyone else do so, either. Know what’s connected to your network at all times, and deny or disconnect links sought by devices or users without adequate security. (See “4 Things You Can Do to Deal with GDPR, the IoT, and Social Engineering More Effectively,” “Social Engineering – What You Need to Know and Do Now,” “TWiTIoT: This Week in The Internet of Things – Government Moves and Shadow IoT Threats,” and “TWiTIoT: This Week in The Internet of Things – Every IoT Device A Security Risk?” Not to mention everything written by my learned colleagues at IT Chronicles related to phishing.)
IoT-Enabled Botnets: Easier, Better, Faster, Stronger (with Props and Apologies to Kanye)
What Happened:Two separate IoT-enabled botnet events enslaved thousands of connected devices – and portend more and better such attacks coming soon.
- Botnets are networks of enslaved connected devices, created by malware that exploits a vulnerable network connection and propagates across that network. As ZDNetreported, botnets “can include standard PCs, routers, smartphones, and a more recent addition, the compromise of Internet of Things (IoT) devices ranging from smart lights to fridges.”
- A new botnet created by a hacker known as “Anarchy” used a vulnerability first published in 2017 to compromise at least 18,000 network routers manufactured by China’s Huawei. The botnet took only 24 hours to create, and can remotely execute malicious code that attacks and enslaves other connected devices. Such botnets often target IoT devices, many of which use “hard-coded credentials” and can be compromised by “a simple scanner.”
- Another botnet, known as “Death,” is successfully targeting devices manufactured by AVTech. As Security Affairsreported, the company is one of the world’s leading manufacturers of closed-circuit television (CCTV) cameras. The Death botnet exploits outdated firmware that exposes device passwords and enables attackers to add users to those devices. “AVTech rolled out security updates for the flaw at the beginning of 2017, but evidently many devices are still running old firmware.” And the alleged creator of Death reportedly plans to use it in “massive attacks” in the future.
What It Means:Even when IoT and other connected devices can be updated with software patches, and vendors release patches in response to threats, companies using those devices often do not implement those patches in a timely fashion. Malefactors can therefore successfully attack devices and the networks to which they connect by exploiting vulnerabilities for which patches have existed for years.
What You Should Do:Avoid connected devices that can’t be patched or updated easily or at all, as well as vendors that don’t provide patches and updates frequently and quickly after threats are discovered. Make timely, consistent patch management a high priority across your entire network. (See “Patch Management: Why It Matters, Why It’s Likely Broken at Your Business, and What to Do Now.”)