IoT botnets - Don’t be surprised, we knew it would happen

Connected devices can easily be made to do the work of cyber attackers.

Connected cameras, vending machines or light bulbs were the vectors of the latest cyber-attacks. It is just the beginning of a long list of Internet of Things that will be used by hackers to take down businesses or steal data. But who should be blamed for this new situation? 

We heard about the promise of a better life when everything will be connected to it. We trusted it because we loved the idea of having an easier life and access to more services at the same time. Manufacturers also saw a huge opportunity in that trend for new business, so everybody was happy. 

We discovered in a hard way it could also have a huge dramatic impact as hackers are also always looking for new opportunities to achieve their objectives.   

We welcomed new connected devices as the new Grail, but as IT specialists, we are aware cyber-attacks are not a legend and that we need to take care of the security of our own goods, family or business. 

The cons of connected devices 

As soon as there is an operating system running, we know we must secure it from the internal or external threats. It should have enough security to not let anyone access it easily. By default, it will not be managed and maintained by the end user, it is a statement that has a big impact and one that we must take into consideration. My grandmother will never apply a security patch on her connected fridge if a zero-day vulnerability is published! 

As a standard practice, connected devices are connected to at least a local network and very often to the Internet to provide its services. We knew they have been created for that, so why are we surprised by today’s situation and why did we not prepare our network for this new game? 

First, connected devices manufacturers need to do a better job and provide a more secure software. If they are not IT specialist themselves, they will have to hire or work with IT specialists to make sure they don’t sell millions of devices which will then be effectively used for cyber-crimes. If they don’t increase the level of security of what they sell to consumers, nobody will be able to escape cyber-attacks and IT teams’ life will become more and more stressful. 

If we cannot assume connected devices are hacked proof, IT teams need to think again about securing their network. As everything is now IP based, one service is critical for ALL applications: the DNS server.   

The new vector to be wary of   

Recently, we’ve seen IoT cyber-attacks targeting this piece of the network infrastructure. For hackers, it’s the new easiest component to target or even to use as a vector for launching attacks. But how does it work?   

A DNS server is answering a request to let an application or user to connect to something. The DNS request can just be issued internally from a local network within an organisation or externally from the network to find the information requested by the user or application. It means it is used ALL the time by anyone and could leave the network to get the information.   

What we have seen so far is connected devices infected by a malware, sending requests to the internal DNS and flooding them until they are not able to respond, resulting in the user and the applications unable to work. According to a recent Cisco report, 91% of malware are actually using DNS to carry out campaigns. We’ve also seen examples where hundreds of thousands infected devices started to flood a Cloud-based DNS provider infrastructure and removed thousands of sites or applications to be accessible from the Internet – remember Dyn? 

In both situations, networks were protected with security solutions, “combat proven”, but unfortunately not proven enough to protect this crucial network component. When you know everything from your business relies on a single service, you need to secure it correctly and stop assuming your legacy firewall will also protect it.   

Most of the existing security solutions are blind and not efficient to secure network services like we would expect. They have not been developed to understand DNS protocol and are not protecting them correctly. For the last two years, it has become the most attacked protocol according to many security specialists. We need to rethink the security or someone will have to explain why organisations suffer dramatic damages such as business interruption and data loss from a connected device attack we knew could happen. 

DNS as the active defence 

Security vendors and IT departments should act fast. If they cannot completely secure connected devices, they have to limit the impact of attacks generated through them. As news demonstrated, hackers are targeting DNS using IoT, specific security should be considered to protect organisations. 

DNS servers can suffer from a volumetric attack that will flood them and crash them, so network departments need to make sure their DNS infrastructure can support big workload. 

Zero-day vulnerabilities or insidious attacks can also target the DNS server. Last year’s breaking news proved legacy solutions like firewalls are not useful enough to protect them seriously. The DNS server itself should understand what is happening and filter good from non-legitimate traffic and mitigate the attack, even if the size of the attack is small and is below the radar of traditional solution. 

The DNS server should also be able to detect more insidious use of them by itself when hackers are trying to exfiltrate data through them. A recent study shows 20% of organisations suffered data exfiltration this way! 

This is not Skynet attacking us, this new enemy could easily be defeated if we spend the time and resources to put the right protection in place. If not, stupid connected cameras or vending machines will defeat us. Are we ready to accept that? 

Image Credit: Bakhtiar Zein / Shutterstock