The IoT attacks that could eclipse Mirai

Expect to see millions of IoT devices annexed by malicious attackers in the future, dwarfing the Mirai botnet we saw in 2016 

Skynet, HAL, WOPR … World-altering attacks have always been associated in science fiction with a despot super computer. But what if the real threat didn’t come from a central form of intelligence at all but an army of disparate devices? 

An attack from millions is much harder to block, with new recruits simply brought online to replace those that are lost. In late 2016 we saw the first incarnation of this style of attack in the form of mass Distributed Denial of Service (DDoS) attacks orchestrated using the Internet of Things (IoT).

The botnet wasn’t controlled by rogue AI, just a piece of malware – Mirai – which targeted a source code originally devised for DVRs. It took control of over 100,000 devices and launched attacks on websites peaking at over 1Tbps. 

The malware was purportedly devised in a turf war over DDoS prevention solutions and, it turns out, doesn’t utilise half of the vulnerabilities it could have. 

Mirai infects devices using an obscure port called Telnet and gains access by running 60 sets of default log-on credentials until it hits the right one. That bombardment can create some real noise on the network, suggesting it could have been far more sophisticated. 

Kill the Internet

Our subsequent investigation into over thirty types of smart DVR revealed this type of attack could be carried out far more stealthily and without arousing suspicion over port 80 which relays HTTP traffic. 

It was found that some of these DVRs had an exploitable buffer overflow in the web interface, allowing an attacker to carry out a remote attack and to send a wormable exploit via the port. 

There are over one million…susceptible DVR deployed today with the potential to make a behemoth botnet ten times that commanded by Mirai

This has significant repercussions for while Mirai could be stopped momentarily by disabling the Telnet port, disabling port 80 really isn’t an option. Doing so would take out the majority of network connectivity for any business, making any attack over port 80 be very difficult to stop without putting the economy back into a pre-Internet era. 

Shodan, a web database of IoT devices, reveals there are over one million of this type of DVR deployed today. Those numbers mean this particular DVR could be used to make a behemoth botnet with ten times the capacity of that commanded by Mirai, potentially paving the way for multi-terabyte DDoS attacks. 

The quick fix for Mirai was to reboot devices to remove the infection, however, these were then simply annexed again by other infected devices. Solutions such as Brickerbot have been found to be ineffective and a fix by Xiongmai for its Floureon DVRs has since been circumvented, with researchers simply using a different port to access the device and re-enable the Telnet port. 

Mirai certainly hasn’t been defeated; it’s become a dormant menace

There is a sure-fire fix for Mirai but the same process could give Mirai immunity and allow it to survive post reboot so in the interests of the greater good, we have not disclosed it. Today, its progress has only been impugned, ironically, by the publishing of the code which has seen attackers compete for ownership over enslaved devices. This has limited the size of any one individual botnet. 

But if the issue that allows Mirai to persist were to become known, one herder could potentially control all of these devices. Mirai certainly hasn’t been defeated; it’s become a dormant menace. 

Or kill the power

There are other ways in which the IoT could be used to carry out mass attacks. Due to the sheer number of IoT devices deployed, there’s the potential to create a significant draw on energy supplies and it’s this consumption that could be used for an attack. 

Switching devices on and off concurrently could create a wide area outage. This could be so disruptive as to trigger a ‘black start’ whereby the National Grid needs to use off grid power sources to bring individual generators back online before gradually reconnecting the grid. 

There are numerous IoT devices that could be used to create power surges in their own right, many of which are being controlled via home hubs, increasing the potential for compromise

It’s a procedure that has never been fully tested, for obvious reasons, the most recent test being in 2011 when only three generating units were disconnected from the main grid. It took 83 minutes to reconnect them suggesting a national outage would take hours if not days. 

Six years later and there is now a very real risk of a black start being realised because of the potential for the IoT to be used in this capacity, with nation state actors, hacktivists or terrorists all now motivated to carry out such an attack. 

During our research we discovered we could remotely gain access to a very popular brand of smart thermostat of which there are over 250,000 installed according to the Shodan database. 

That’s just one thermostat. Burrow your way into other thermostats and you’ve got hundreds of thousands of controllers that can be commandeered and used to switch heating and cooling on and off in the home. 

There are also numerous IoT devices that could be used to create power surges in their own right, many of which are being controlled via home hubs, increasing the potential for compromise.  For example, there are smart kettles (2.5kW), ovens (3kW), saunas (6kW), electric cars (8kW).

Or you could simply go for the big time and target solar panels which reports suggest contribute 50 percent of national power in some European countries. Or even the Industrial Control Systems (ICS) which control power consumption at source, unauthenticated versions of which can be located online via Shodan Safari. 

The only challenge remaining for the attacker is how to remotely access these devices but thanks to some shoddy security, this often isn’t an issue. Bad practices include default credentials (often published online), unauthenticated Bluetooth pairing, poorly secured web interfaces, APIs, and mobile apps. 

All allow rudimentary attacks such as cross site scripting (XSS) and cross site forgery requests (CSRF) to be carried out and are compounded by poor or non-existent update mechanisms making it difficult to patch devices. Consequently, there’s already a significant testbed out there waiting to be harnessed making it only a matter of time before we see seismic attacks which eclipse Mirai. 

By Ken Munro, Partner, Pen Test Partners