Consumer IOT devices continue to threaten the Internet with DDoS attacks Close

June 2017: Consumer IOT devices continue to threaten the Internet with DDoS attacks

Bottom Line: Consumer IoT devices are being used for DDoS attacks, which were launched from hundreds of thousands of connected devices. The infected devices lack even the most basic of security measures and in some cases device manufacturers are being held accountable. ISPs have useful visibility into network traffic and the IP addresses of offending devices, however it is too costly and complex for ISPs to respond. Enterprises are vulnerable from both insider and external threats and require security solutions that use network monitoring, heuristics and machine learning techniques to identify and mitigate threats.


Consumers across the globe are eager to capitalize on the Internet-of-Things (IoT), to monitor, manage and control their electronic equipment over the Internet, through cloud services and from their smart-phones. The range of consumer electronic devices being connected to the Internet are vast and include surveillance cameras, smart televisions and DVRs, residential thermostats and other home convenience and security devices. These devices can be purchased from consumer electronic stores and provide convenient plugand-play capabilities for rapid deployment. This seemingly ideal solution for consumers has created significant challenges for Internet security. Most notably, devices are often shipped with remote access capabilities enabled and with default administrative security credentials, which are seldom changed. The devices are vulnerable to attack, with the attacker having access to the administrative functions of the device.

Once an attacker has access to a consumer electronic device, the attack surface depends on how well the device itself is protected. For example, devices can be protected if:

  • Firmware and other operational software is digitally signed, to restrict malicious command and control software attacks
  • Secret password keys are stored in protected memory and administrative functionality is appropriately constrained, to restrict the scope of potential attacks, and;
  • Sufficient server-side security mechanisms are implemented, to reduce the potential for man-in-the-middle (MITM) attacks

Unfortunately, however these and other basic security features are commonly excluded from consumer electronic devices. Device manufacturers are incentivized to rapidly produce low cost devices, with security largely being an after-thought.

The Security Risks

While insecure IoT devices are vulnerable to a variety of attacks, including as ransomware, reconnaissance and eves-dropping, the devices are also being weaponized to attack the Internet with Distributed Denial of Service (DDoS) attacks. Specifically, once an attacker has infected a sufficient number (i.e. tens or possibly hundreds of thousands) of IoT devices with command and control capabilities, an attack can be launched by having these devices flood traffic to critical Internet infrastructure, such as Domain Name Servers (DNS). Since DNS servers are responsible for translating URL addresses (such as into IP addresses (such as, many websites are disrupted when the servers are successfully attacked. For example, on October 21, 2016, Dyn, which is a DNS now owned by Oracle was crippled by a massive DDoS attack, which impacted several highprofile websites including GitHub, Twitter, Reddit, Netflix and Airbnb. The attack was attributed to the Mirai botnet, which had spread itself across insecure IoT devices.

The Mirai Botnet was not the first DDoS attack of its kind, but it has gained widespread recognition because of the devastating and widely publicized impact that it had on the Internet and several high-profile consumer Internet services. Since the attack, Mirai has been published as open source and is being adapted and incorporated in other malicious software. For example:

  • A Mirai infected device can be cleansed when rebooted (so long as the user name and password is changed promptly). In July 2017, a variant of Mirai was observed, which remained in devices even after they were rebooted.
  • Mirai scans for devices with the standard telnet port 23. Although some device manufacturers have changed the port number they use for telnet, these changed port numbers are now being scanned by Mirai variants.
  • When initially launched, Mirai targeted the default credentials of approximately 60 devices, this list has been extended and updated in subsequent variants of Mirai.
  • Some variants of Mirai are using different attack vectors to gain device access. One such vector capitalizes on a security vulnerability that has been identified in some implementations of the TR-064 and TR-069 protocols, which are commonly used for remote device access. This vulnerability compromises insecure Internet enabled remote access functionality that was originally intended for local area networks (LAN). Not all implementations of TR-064 and 069 are vulnerable this attack vector. Furthermore, in some cases, attacks have caused TR-064 enabled devices crash because of the malformed HTTP messages, instead of enabling malicious access.

Security risk mitigation and protection strategies

We believe that we have only seen the 'tip-ofthe-iceberg' of the IoT DDoS security threats, particularly as the industry marches towards the Internet-of-Everything. While it is impossible to eliminate IoT led DDoS attacks, many of the attacks today are a consequence of basic vulnerabilities, most notably the poor management of security credentials and remote access functionality. In their defense, some device manufacturers have increased their attention towards device security, but more focus is needed in making security inherent to device designs.

Efforts have been made to place accountability with IoT device manufacturers for selling insecure products, making them potential lawsuit targets and forcing product recalls. For example, in October 2016, Xiongmai an IoT device manufacturer issued a product recall after it was discovered that many of its devices were behind DDoS attacks and that the products lacked basic security features, such as effective password management. By the time the vulnerability was discovered and product recalls initiated, it is believed that several million devices had been hacked. In January 2017, the United States Federal Trade Commission (FTC) took legal action against DLink for allegedly not implementing adequate security in its wireless routers and Internet cameras. It is conceivable that the FTC case could set a precedent for legal action against other device manufacturers in the future.

The European Union (EU) has mooted a certification scheme to identify and label devices that it deems secure. However, we believe the challenge with this approach is that security vulnerabilities and attack vectors are continually changing. This makes it unlikely for a device that is secure at the time of manufacture to remain secure throughout its deployment lifecycle (which is often more than a decade). Furthermore, we believe that when devices are deemed secure by the EU's scheme, they might become targets for hackers.

Internet service providers (ISP) can play a greater role in protecting the Internet from infected devices since they have network traffic visibility and can associate their subscribers with IP addresses. However, device quarantining would be costly and complex for ISPs and difficult to manage given the volume and global distribution of attacks, and the complexities in pinpointing IPv4 devices that have alias addresses. Quarantining would also create customer service challenges and potentially have a negative impact on the ISPs brand and market reputation.

As security stakeholders including security professionals, enterprises, service providers and technology companies respond to IoT security threats, new tools are being crafted and security taxonomies developed, see Exhibit 1. Security professionals are focusing attention towards the existential threats from IoT devices and methods to rapidly identify and mitigate the impact of attacks when they occur.

Enterprises are encouraged to monitor network traffic, recognizing the potential for both external and insider attacks. They are also encouraged to introduce strict security policies for IoT devices by ensuring that they are patched with the latest software updates and operate on independent subnets. Service providers are introducing technologies for monitoring application and network traffic to identify potential attacks. Emerging heuristics and machine learning solutions are playing an increasing role in security, and are needed to address the porous and dynamic security environments that is increasingly becoming a hallmark of the connected World..

Exhibit 1: Stakeholder security motivation, risks and mitigation
Source: 3GPP and Tolaga Research, 2017