DDOS: Turn your Toaster Off!

Most of you are already aware of the fact that half of the internet went down (or slow), when a 'bad-hackers' group weaponized 'millions of insecure IOT devices' to attack a DNS provider. Personally from my browsing habits, I was largely effected by Twitter being dramatically slow while other sites felt little sluggish. Anyways, this brings us to a number of question(s),

  • Should I be surprised?
    I think NO. We knew this sh*t is coming. It's high time to check/ restrict your refrigerator, TV and lights for internet connectivity.
  • Is there a silver bullet to beat this?
    I believe NO
  • Is it one isolated incident?
    I guess NO and I would say there are more to come.
  • Do we have a hope to address this?
    Yes, we do have but it's not gonna be an easy fix; it would need an internet (mainly IOT) "revamp".

Understanding IOT Technology & Business

As this image1 reflects, IOT or Internet of Things is the buzz word and perhaps the future for interconnected world. These IOT devices are released in the markets with capability to connect to internet via cable/ or wireless and therefore have an access online.

For the idea of connected world this is great, as now an individual can connect the device(s) remotely to,

  • set the right thermostat temperature before you enter the house
  • set the microwave to heat/ cook your meal right before you arrive
  • switch the car ignition and air circulation
  • have internet enabled assistance at your fingertips or voice.
  • monitor statistics - health, home, transportation etc.

There's a huge list of IOT devices and it's rapidly increasing. But, with all these benefits there's a downside that they are not secured enough and are usually released by product companies to gain competitive edge. Most of them do not even have great configuration panels for the users to administrate. Now comes the scary part -

These IOT devices have default passwords (probably predictable/ constant) and are connected to internet.

So, your devices can be accessed by bad people, and be used to trigger swarms of packets on a target! Now, how's that for your comfort?

Recent DDOS attack, October 2016

Now, there are malware(s) like Mirai which leverage such weakness, to gain access to different IOT devices such as routers, camera, DVR or even a damn toaster (device with linux busybox). The malware then attempts to compromise the linux box with default passwords via SSH/ Telnet. If successful, the attacker will download the payload on the device for mostly malicious uses (in botnet, DDOS etc. i.e. zombie devices at disposal). Down the line someone will then reverse the malware binary (or attempt to reverse) to show the world how flawed we are in isolating business from security!

Possible Workarounds

It is no surprise that IOT devices have to taken seriously. The hardening of IOT devices must be enforced and due regulations must be put in place before we have millions of them amongst ourselves waiting to be weaponized.

  • The manufacturers must mandate password change and basic security chores as part of installations.
  • Developing too comfortable UI is one thing and making a user doesn't perform his/ her security due-diligence is another.
  • If we want an interconnected world, where devices talk we have to make sure try harder that no-one is listening!

IOT devices can be accessed remotely via internet, and are sitting right inside your house, in your comfort zone.

If that doesn't scare you; my friend, you are in ignorance!

Stay safe.

  1. By Wilgengebroed on Flickr - Cropped and sign removed from Internet of things signed by the author.jpg, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=32745645


❮❮ NodeJS URL Shortener


Rishi Narang

I'm a hacker. I find inventive/ intuitive solutions to problems. I write open-source code, help out people where I can - particularly if it involves a clever technical solution. I'm based in France.