The 'Situation report on IT security in Germany' presented in November last year explicitly highlighted the dangers and vulnerabilities in the IoT. The situation here is worrying. Countless networked microcomputer systems still have factory-set default passwords, which can even be found in the operating instructions available on the internet. Options for updating software to eliminate security vulnerabilities are not even offered. What's more, most users of IoT modules don't even notice when, for example, a smart home thermostat or a system controller is being used by cyber criminals as a remote-controlled weapon of attack.

Although the number of IoT wireless sensors, wireless actuators and cloud solutions through smart home and smart factory solutions is increasing at a remarkable pace and in some cases more and more products with significant security vulnerabilities (such as wireless sockets from discount stores) are coming onto the market, according to the BSI, no targeted DDoS attacks or other large-scale ransomware attacks on the components and infrastructures have been identified to date.

IoT solutions were indirectly affected by the attacks on Telekom routers in the fall of 2016 (Speedport routers) and 2017 (Huawei routers). In the first case, however, they were not the primary target. There are still too few details about the incident at the end of November and beginning of December 2017 to conclusively assess the motives of the attackers. In any case, it is only a matter of time before cyber criminals have found appropriate 'business models' to become active in the IoT segment.

More and more IoT bot networks

Sensor-to-cloud applications in particular offer cyber attackers a wide range of attack vectors. Not only gateways and routers, but also the cloud, invite attackers to misuse the building blocks of such a solution.

© SSV Software Systems

The misuse of IoT components in botnet attacks, on the other hand, is a completely different story. Here, computer systems connected to the internet are extended by remotely controllable malware in order to attack other computers anywhere in the world through orchestrated actions. What is particularly remarkable here is the speed at which the number of IoT modules used as bots in such attack networks has grown in recent years. In 2014, the largest IoT botnet observed at the time had just 75,000 infected network systems. In August 2016, Mirai was already an almost 700% larger botnet: more than 500,000 infected microcomputer systems in digital video recorders, surveillance cameras, routers and IoT devices formed a remotely controllable network for the first time, disrupting the operation of the internet. All bot systems affected by the Mirai malware had an embedded Linux operating system without special security precautions, including factory-set passwords as vulnerabilities that were exploited by the Mirai operators to install the remote control software.

With the number of IoT components directly or indirectly connected to the Internet predicted to exceed 20 billion by 2020, IoT botnet growth should be taken very seriously. Many of these 20 billion or so IoT devices will have virtually no up-to-date protection mechanisms or update capabilities to prevent increasingly sophisticated criminals from exploiting them to attack other infrastructure components or services. In addition, there are countless smartphones with a very low level of security, for which practically no updates are available. It can therefore be assumed that we will see the first botnet attack by a remote-controlled network with tens of millions of individual IoT modules and smartphones in the next few years. The effects of such an attack (for example in the form of a cyber-physical attack on public infrastructure) could be very dramatic due to the advancing digitalization and cause consequential damage that cannot even begin to be estimated at the moment.

Service access as a weak point

The vulnerabilities for the Telekom router attacks in the fall of 2016 and 2017 were TCP-based service interfaces that were used to install malicious code from the internet. From a technical point of view, it is actually incomprehensible why, for example, the Linux-based firmware of a router does not notice that a firmware change has been made via Internet access to enable botnet integration. Such factory-installed 'vulnerabilities' are not only found in routers, but also in many surveillance cameras, IoT gateways and even in the Industry 4.0 environment.

In the case of such a malicious code injection, a simple software change message to a central maintenance server on the internet would be enough to identify the manipulation and notify the router, camera or gateway operators. All the firmware of a networked microcomputer system has to do is recognize that 'unknown' software has been installed or started. For an embedded Linux, such a root-of-trust check of the software added via service access could be implemented with relatively few additional lines of code.

The attack pattern

The integration of an Internet-accessible microcomputer system into a botnet and its misuse is carried out in five steps:

1. Search for bots: The attackers search the Internet specifically for systems with certain characteristics in order to integrate them into a botnet. Several methods can be used for the search. In some cases, botnets are also used for the search itself.
2. Programming bots: Systems found with a known 'vulnerability' are equipped by the attackers with remote control software as malicious code in order to control them remotely later from a central command and control server (C&C or C2 server).
3. Creating a C2 server: Setting up a C2 server somewhere on the Internet. The individual bots are remotely controlled from this computer as an orchestra if required. As a rule, the IP address of a C2 server does not allow any conclusions to be drawn about the identity and location of the attackers.
4. Determine the target: Select the actual target of the attack: For example, any server on the Internet, which is then no longer accessible to other users (for example, the customers of an online store) due to overload.
5. Attack: Launch and monitor the attack via C2 server: The attackers will launch the attack from another computer via a remote access connection to the C2 server, monitor the effects and also stop the attack again.

What happens next?

The countless 'sensor-to-cloud' IoT applications in particular are likely to be a very attractive target for cyber attackers in the future. On the one hand, the system architecture offers a wide range of possibilities for various attack vectors - not only routers and gateways, some of which have well-known and still inadequately protected TR-069 service interfaces, are suitable targets. The cloud itself is also full of potential points of attack due to Meltdown & Spectre. On the other hand, pre-shared keys, access authorizations to the gateway or the cloud programmed into the firmware and a lack of update options mean that there are virtually no up-to-date protective measures.

In professional solutions, the embedded microcomputers should always have a connection to a central maintenance server that is operated in a particularly secure environment. The microcomputers check there from time to time to see if there are any updates that need to be installed. Automatic notification via a subscriber channel is also possible. In addition, every change to the device configuration and software is reported by the microcomputer to the maintenance server.

Author:
Klaus-Dieter Walter is a member of the management team at SSV Software Systems.