The internet is reeling under the onslaught of unprecedented denial-of-service attacks, the sort we normally associate with powerful adversaries like international criminal syndicates and major governments, but these attacks are commanded by penny-ante crooks who are able to harness millions of low-powered, insecure Internet of Things devices like smart lightbulbs to do their bidding.
Symantec reports on the rising trend in IoT malware, which attack systems that “may not include any advanced security features” and are “designed to be plugged in and forgotten” without “any firmware updates” so that “infection of such devices may go unnoticed by the owner.”
The USA and China are the two countries where people own most of these things, so they’re also where most of the malicious traffic originates. Symantec ran a honeypot that recorded attempts to login and compromise a system that presented as a vulnerable IoT device, and found that the most common login attempts used the default passwords of “root” and “admin,” suggesting that malware authors have discovered that IoT owners rarely change these defaults. Other common logins include “123456,” “test” and “oracle.”
Attackers cross-compile their malware to run on a variety of processors and architectures, and differentiate them by giving them nicknames derived from street-names for drugs. New strains of IoT malware also tries to purge any older, rival malware that could be running on the system, giving itself more processor overhead to do its’ pwner’s bidding.
Symantec makes a bunch of recommendations, a small minority of of which (“change the default password”) are within your control; the rest (“Disable Telnet login and use SSH where possible”; “Modify the default privacy and security settings of IoT devices according to your requirements and security policy”; “Disable or protect remote access to IoT devices when not needed”; “Use wired connections instead of wireless where possible”; “Regularly check the manufacturer’s website for firmware updates”: “Ensure that a hardware outage does not result in an unsecure state of the device”) give wishful thinking a bad name.
As far as malware distribution goes, attackers take a straightforward approach. While some malware variants need to be manually installed on the device, the most common method consists of a scan for random IP addresses with open Telnet or SSH ports, followed by a brute-force attempt to login with commonly used credentials.
Because of the variety of CPU architectures that embedded devices run on, IoT malware may try to randomly download bot executables for multiple architectures and run them one by one until successful. In other cases, malware may also include a module that performs a check for the existing devices’ platform and download just the correct bot binary.
IoT devices being increasingly used for DDoS attacks [Symantec Security Response]
(via Beyond the Beyond)