Why IoT devices are the 'unusual suspects' in DDOS attacks

Recent cyberattacks that harnessed digital devices to cripple websites confirm the concerns cybersecurity experts have long expressed about the threat posed by the internet of things (IoT). Many connected corporate devices, from VoIP phones and connected printers to smart video conferencing systems, have outdated firmware and can be hacked in minutes, according to new research from ForeScout Technologies.

"The IoT is the new battleground for security," says Pedro Abreu, chief strategy officer at ForeScout, which makes software to help companies find and protect devices on their networks. "It's where the entry points are that are really making you vulnerable."

CIOs have spent the past two decades using firewalls, antivirus and anti-malware tools to build protective moats around servers and PCs. But it's what Abreu calls the "unusual suspects" that can wreak havoc. Hackers are weaponizing digital cameras, video conferencing systems, DVRs and other Internet-connected devices, triggering massive distributed denial-of-service (DDOS) attacks that grind websites to a halt.

IoT devices are easily hackable

Enlisting an IoT device for a DDOS attack isn’t hard. ForeScout hired self-described ethical hacker Samy Kamkar to demonstrate how to hack and command an enterprise-grade security camera, which was unmodified and ran the latest firmware from the manufacturer.

In less than an hour, Kamkar exploited the device's default password, gained root SSH access and planted a backdoor that will allow him to continue controlling the camera even if the administrator changes the password. He also installed a backdoor that enabled him to create an outbound connection to launch various attacks from the device.

"[The exploit] gives hackers full privilege and allows them to control the device completely, or use it as proxy to hit other systems in that network or even other organizations on the internet," Kamkar says. The camera can then be joined with thousands of other devices, coalescing in a botnet capable of launching a DDOS attack, Kamkar says.

If Kamkar's exploit sounds familiar it's because this was exactly the kind of DDoS attack that brought down Twitter, Feedly, Netflix, Spotify and several other websites last Friday. The attack exploited manufacturer-set passwords to enslave more than 100,000 webcams and DVRs in the Mirai botnet, which in turn bombarded the network infrastructure operated by internet address look-up service Dyn, preventing customers from reaching more than 1,200 domains. The Obama administration has vowed to take steps to mitigate these attacks.

Abreu says that the Dyn attack prohibited ForeScout from accessing some of its corporate cloud services, including Salesforce.com and Okta. It was an inconvenience, though Abreu said it would have been far worse if, for example, ForeScout's sales staff couldn't access their customer data in Salesforce.com to complete a quarterly close.

IoT-based DDOS attacks have CIOs petrified

John Bruno, CIO of multinational services conglomerate Aon, tells CIO.com that DDOS attacks are among his top cybersecurity concerns because the company's website supports seven million participants accessing information about healthcare and benefit plans from its website. "The way in which a broad-based denial of service attack can put you to your knees and then negatively impact the ecosystem that's attached to you -- that worries me and keeps me up at night," Bruno says.

DDOS attacks are scary but they aren’t the only attacks that should concern CIOs. Kamkar, who also tested IP-connected security systems, smart HVACs and energy meters, VoIP phones, video conferencing systems and connected printers, smart fridges and smart light bulbs says that the devices pose significant risks because security is not built into them and their firmware is frequently outdated.

Cybercriminals can use jamming or spoofing techniques to hijack smart enterprise security systems, enabling them to control motion sensors, locks and surveillance equipment. Perpetrators can exploit configuration settings in VoIP phones to evade authentication, enabling them to eavesdrop on and record calls. Hackers can crack HVAC systems and energy meters to force server rooms to overheat, causing physical damage. The dangers are real and can be exploited for "something big," says Abreu.

Abreu says CIOs can better prepare for DDOS and other attacks by being aware of what devices are phoning into their networks and creating policies limiting what connected devices can do. But with CIOs' attention focused on so many other issues -- digital transformations, analytics, budget planning, -- they often don't check what has access to their networks. When ForeScout’s software analyzes enterprise customers’ networks it typically detects between 30 to 40 percent more devices than CIOs said they would find.

Gartner predicts that 20 billion connected devices will be deployed by 2020, with as many as a third of these sitting unknowingly vulnerable on enterprise, government, healthcare and industrial networks worldwide. IDC predicts that two-thirds of enterprises will experience IoT security breaches by 2018.