This year's hot topic has been the Internet of Things - "smart" physical devices connected to your network and the Internet. From CCTV, baby monitors, central heating systems and home automation right through to home appliances and modern vehicles, these smart devices are quickly becoming defacto in home living and small business environments.
Furthermore such devices are tempting cheap alternatives to industrial control systems, fire and security control and other applications in larger business environments. Within each IoT device is an embedded computer usually running a cut-down version of Linux.
Next year's hot topic will be IoT security. I predict a lot of media coverage, a lot of product recalls, and possibly the birth of a new acronym with the word 'security' in it. The truth is millions of IoT devices are vulnerable to attack online. IoT device owners know little of the innards and rarely think to treat them as mini computers, which require security considerations and regular maintenance to keep them running smoothly. Sadly some manufacturers have overlooked this too. This year has seen some big malware developments taking advantage of the insecure IoT landscape which, hopefully, has been enough to shock consumers and manufacturers into taking security seriously.
In this article I want to explore how IoT devices are infected with malware in the first place, and some basic steps you can take with your existing equipment to mitigate those infection risks. In the next article I will go into more depth for securing individual IoT devices and networks in general.
Your home or small business network likely looks similar to the diagram below. A broadband router sits in the centre of many connected devices (wired and/or Wi-Fi) and provides Internet access. Your router will have a firewall running to prevent strange inbound connections from reaching devices on your network. This firewall is important!
Shiny new IoT device
Several things happen when you connect a new IoT device to your network.
Typically your router's firewall will allow all outbound connections from devices on your network to the general Internet. This is for convenience, the majority of consumers would get frustrated at having to allow each type of outbound Internet traffic as it happened! And most routers don't allow filtering of outbound connections.
Your new IoT device will do some basic networking checks, update the local clock from a time server, and (if you're lucky) check for software updates. Most IoT manufacturers configure their devices to "phone home" to know how large their userbase is and in which countries.
Many IoT devices allow you to manage it remotely while you're away from home. Some devices will prompt you first if this feature should be enabled, others will simply enable it. Enabling remote administration will usually use Universal Plug n Play (UPnP) - a feature of modern routers - to automatically open inbound ports on your firewall directly to the IoT device. If you have disabled UPnP or for some reason it doesn't work, the IoT device usually prompts you to open the firewall ports manually. This is where it gets dangerous folks.
Some naughty IoT boxes have manufacturer-only remote administration tools. If they exist, these are often enabled by default, have lax security measures, and can be seriously abused by malware makers. Again these devices will attempt to use UPnP to automatically open ports on your firewall.
In the spirit of bad analogies (my trademark it seems), imagine your public IP address is like a phone number for a large company headquarters. Ports are like extension numbers to get to a particular employee once you've dialled the number.
Not following? Your broadband router has a public Internet IP address. Routers usually only have one (there's a shortage of IPv4 addresses right now, and the new IPv6 standard isn't fully adopted yet). Chances are though, you have lots of devices on your internal network which you'd like to access remotely.
Each device has an internal IP address (usually
192.168.1.xxx) but these are not accessable from the outside world. So the router does some clever translation, called Network Address Translation (NAT), which routes packets from the Internet to specific internal IP addresses based on another number - the port.
So each device can listen on several thousand ports on that single IP address. Ports have different uses, let's have a quick look at some common ones;
|21||FTP||File upload/download (eg software updates)|
|22||Telnet||Remote admin by manufacturer|
|23||SSH||Secure remote admin by manufacturer|
|80||HTTP||Remote admin by owner|
|443||HTTPS||Secure admin by owner|
These are just recommended port numbers - in reality these services can run on any port. But the majority of IoT manufacturers use standard ports for predictability.
So when you plug in a new IoT device it will use UPnP (or prompt you) to configure port forwarding on your router. External connections from anywhere in the world to your public IP address on a specific port number will get routed straight through to your IoT device.
Opening ports on a firewall for remote-control of IoT devices is, in my opinion, akin to leaving your front door open to trebuchet cat food from the office car park. Yes, it works, but your front door is open. Catapulting food through the cat flap is the better approach, and there are ways to do that with more advanced routers.
In this case, by opening ports 21, 22 and 23 (and in some cases 80 and 443) your IoT device may be easily compromised by attackers. The services running on these ports are password protected but manufacturers often use one username/password for every device they make.
So how does a malicious attacker find your IoT device and gain access?
First they scan all public IP addresses on the Internet looking for specific ports. They look for juicy ports like 21, 22 and 23 which allow low-level remote administration of the IoT system (usually a cut-down Linux system), but sometimes bugs in web admin panels can be useful too, so they'll look for port 80 and 443. If they find an open port then they move on to the next step.
As we know, many IoT manufacturers use a default username and password. An attacker will use a simple dictionary attack to attempt dozens or hundreds of username and password combinations until they can gain access. Bugs in other services might reveal credentials or grant low-level access even without a password. Once completed they move to the next step.
Now they can run low-level commands on the IoT device without the owner's knowledge. Usually the first command is to download malware from a remote server and run it. The malware itself will do several things - unload other malware if it exists, attempt to hide itself, perhaps block you from remote administration, then "call home" to register itself as a zombie bot (for DDoS attacks) or for further instructions.
The IoT device is now compromised.
Most attacks of this nature are fully automated. Previously compromised IoT devices are used to scan public IP addresses for more victims and malware spread has a snowball effect. The scans are so efficient that the entire range of public IP addresses can be scanned in just a few minutes.
Exploiting IoT devices
In general these embedded IoT devices have very little computing power, but have a fair amount of bandwidth available to them with modern broadband connections. The attacks we witnessed this year focussed on denial-of-service - that is turning IoT devices into botnet zombies which can be used as part of an orchestrated traffic surge against a third party target. It requires very little CPU and as much bandwidth as possible.
So far exploits have failed to take advantage of the bigger picture. IoT devices often have complete access to every other device on the network, without pesky firewalls or packet filters getting in the way. They will also have access to compromisable devices which otherwise couldn't be reached from outside of the network. Furthermore IoT devices have real-world capabilities which only a handful of exploits are targetting. CCTV, smart TVs, remote-controlled physical actuators and even vehicles could do any number of horrible things once compromised which can risk owner privacy, security and safety.
Securing against attacks
With a basic broadband router you are limited in the tools you have available to stop attacks in their tracks. There are some basic security measures you can take;
- Scan your public IP address for open ports. Use a tool like Steve Gibson's ShieldsUP! to find open ports and report them. Run this test when you connect new IoT devices to your network.
- Disable UPnP on your router. Setting up port forwarding by yourself is only painful for the first couple of times. You will soon be comfortable understanding port forwarding and what devices on your network need to accept incoming Internet connections (and why).
- Only open ports you absolutely have to. Do you really need web access to light bulbs while you're on holiday? Probably not.
- Watch your bandwidth usage while you're not using the Internet. Most routers or ISPs let you see traffic graphs or at least realtime upload/download speeds. Tiny amounts of traffic in the background is normal (time updates, software update checks, etc) but large amounts of traffic are unusual. Your router may even tell you which internal device on your network is generating that traffic. It might be a sign that you've been compromised.
- Search for your IoT device online. Does it use default usernames or passwords? Does it expose strange ports for remote administration? Some devices can't be fixed for security - you may be able to get a refund or replacement from the retailer or manufacturer. Also check for product recalls as this becomes a hot topic next year.
- Use a hardware firewall or better open source router. Some old routers can be flashed with open source software like DD-WRT and there are many open source firewalls out there. This is great if you have an old PC or embedded computer and a spare Sunday afternoon. Or cheap ones can be picked up online.
In the next article in this series I will look at how to secure your network with a new router or hardware firewall. The cost is minimal and the benefits are huge. Until then, if you enjoyed this article please consider sharing it with your friends and colleagues. Together we can reduce vulnerable IoT devices.