IoT Security Part 1: Nobody Knows You’re A Hacked Light Bulb

Neil Gershenfeld, the MIT computer pioneer, once made the joke that “On the Internet, nobody knows you’re a lightbulb”.1 2 Speaking back in 2005, he was referring to the then emerging technology platform of the Internet of Things (IoT), where all sorts of devices and sensors such as webcams, lights, thermostats and even coffee pots were starting to be IP-enabled and connected to the Internet. The trouble is, that today, nobody knows you are a hacked light bulb. IoT security is rapidly becoming the great digital challenge of 2017.

A New Scale of Threat

In the closing months of 2016, it became clear that a new cyber-threat was emerging. A number of high profile cases were reported in which large-scale botnets, built from IoT devices, were orchestrating Distributed Denial of Service (DDoS) attacks. This leverage of physical devices, labelled by IBM as the weaponization of ‘Thing Bots’, has resulted in record-breaking attacks.3

Prominent examples include a 620 gigabits-per-second assault on the website of well-known cyber-security specialist Brian Krebs and a huge flood attack on Dyn, a Domain Name System (DNS) provider to many large corporates including Twitter and CNN. To reinforce the growing feeling of crisis, in November, in Lappeenranta, Finland, the heating to several blocks of housing was shut down by a similar remote attack. All in all, Akamai reckon at least seven, 100 Gbps plus attacks in late 2016 were the result of Thing Bots.4

IoT device: “Nobody knows you’re a hacked light bulb.”

IoT is Vulnerable

What’s driving this new scale of DDoS attack? The culprit is the security vulnerabilities of IoT devices. Since Gershenfeld first coined his joke, the scale of IoT adoption has jumped dramatically, as falling costs and technological change have made it feasible to connect just about any physical object to the Internet.

According to Gartner, there will be 8.4 billion IoT devices in use by the end of this year — a number expected to rise to 20 billion by 2020.IDC estimates that within five years 40% of all business-related data will be being processed by physical devices at the edge of the network.6  The trouble is that, in the head long rush to connect physical stuff to the Internet, a great deal of basic security and common sense has been thrown by the wayside.

As Forbes magazine put it: “There are an awful, awful lot of ‘things’ out there, and people are connecting them with abandon”.7

Frequently built around very low-cost hardware and cut-down versions of the Linux operating system, IoT devices generally lack security as part of their core functional design.8 Many devices ship from factories with default passwords, that few end users bother to change. Ports are set open by default, most commonly for Telnet (port 23), and many have unnecessary external-facing services enabled e.g. DNS forwarder. These devices are rarely updated with newer, more secure, versions of firmware. Indeed, many devices are designed not to be patched at all or lack auto-updating facilities.

All in all, there has, in the words of security expert Bruce Schneier, in recent evidence to a US Congressional Committee, been: “fundamental market failure”, whereby low cost has trumped in-built security design.9

Mirai Opens the Backdoor

IoT security problems have been known for years but it was only in late 2016 that hackers devised a software system capable of leveraging the open doors of devices on a scale that would finally bring serious attention to the problem. First published quietly to open source code forums, including GitHub, by a user known only as “Anna-Senpai” in September 2016, there can be few people working in IT who have not now heard the word ‘Mirai’.10

The code is an incarnation of an existing malware Trojan that has been floating around in the hacker community for a number of years. It has two core functions: locate and grow its botnet army of infected devices, and provide a command and control (C&C) mechanism for using this army to launch DDoS attacks (including ACK floods, DNS water tortures and GRE IP floods).11 Mirai is self-propagating, with enslaved devices immediately starting to scan for other devices to infect, and, rather deviously, contains functionality to remove other, competing, malware items from a device, leaving it fully in control.

Mirai is a powerful, configurable and highly customizable tool for hackers. It is easy to set up (completion within an hour) and the way it infects devices is fast – leading to exponential levels of distribution patterns (experts estimate it can locate and build huge botnets within 24 hours). 12 This new tool, and its derivatives have given cyber-criminals the ability to create huge, powerful Thing Bots consisting of hundreds of thousands of enslaved devices, allowing DDoS attacks to be easily orchestrated.

To date, Mirai has been used for rather simplistic brute force flooding attacks, albeit measured in gigabytes, without recourse to the scale that can be delivered by using more sophisticated spoofing and amplification techniques. The easy availability of the code meant that within weeks hackers were selling access to Mirai-powered botnets on the Dark Web. These botnets can be hired to act as ‘DDoS cannons’ with costs based on number of bots and attack duration.

For the Black Hat hacker community, this was all manna from heaven. As Sean Newman of Corero Network Security, told a recent security conference (UK Network Operators’ Forum):

“Mirai was a lightbulb moment for other attackers in the community, to say ‘Ok that’s an interesting way of creating attacks compared to my traditional ways of attacking sites using DDoS, things like amplification, reflection techniques’…moving to harness an IoT botnet that is nicely harnessed, ready there, waiting to be used”.13

The upshot has been that not only have we seen high profile IoT-based attacks, such as on Dyn, but also, as Radware have pointed out in a recent research note, Mirai has changed the economics of hacking. Before easy-to-purchase IoT botnets, cybercriminals would have to expend large amounts of time and money on constructing armies of PC and server-based botnets with sufficient capacity to cause damage when used in assaults. With IoT, bot masters can now take control, in minutes, of vast arrays of millions of unsecured IoT devices at near zero cost. These so-called ‘Booter/Stresser’ or ‘DDoS-for-hire’ services potentially give anyone, even the non-technical, the ability to mount a DDoS attack against targets of their choice.14

You might also like: The Strain on Flood Defences – Internet Style

IoT Security. It’s Only the Beginning

Unfortunately, we are almost certainly only at the beginning of the IoT problem. Mirai was released as open source code and is therefore easily mutable. This could result in untold new varieties of attack, for example, combining an IoT botnet with amplification techniques to facilitate multi-terabit DDoS attacks.12 Security expert Gary Sockrider at DDoS defense firm Arbor Networks, believes this is only a matter of time; examples of source code with this extra capability have been spotted in the wild although not yet used in anger.15

For this reason, activereach is actively engaging with our customers to make them aware of this new threat and start the process of working towards solutions. The first step is to understand why this new threat is so very different from previous DDoS modes of attacks.

Raza Rizvi, activereach Technical Director says:

“The pervasiveness and scale of IoT threats coupled with increasing ease of use mean that any, and all, malevolent actors will see IoT generated attacks as the simplest means of retribution or coercion. A mitigation strategy of ‘Deploy, Tick, and Forget’ will no longer serve an organisation well, nor will it be considered appropriate by the regulatory and compliance authorities.”

And the task is urgent: the Association for Computing Machinery (ACM) warns of an even darker future. 16 To date, IoT devices have been enslaved in order to be harnessed for DDoS attacks. In many cases the owners are unaware and the devices continue to function. Future attackers may not be so benign. As the ACM points out, IoT is increasingly used in essential settings such as healthcare devices, electricity smart meters and, in the near future, automatic cars. Sadly, as the Finnish heating example shows, it is only a matter of time before other, far more serious, forms of device manipulation come to the fore. As Or Katz, of Akamai, told the RSA 2017 conference: “Once upon a time, the Internet of Things held unimaginable promise…Then came Mirai”.17

Somewhere, out on the Internet, there’s a hacked lightbulb with your company’s name on it.

Part 2 of this article “Preparing For the DDoS of Things” coming soon.

[1] Neil Gershenfeld: founder of MIT’s Center for Bits and Atoms, a sister lab to the famous MIT Media Lab.

[2] Snide, T., ‘The “Internet of Things” and Automation’ [blog], Schneider Electric Blog (18th June 2013), [3] IBM X-Force Research, The weaponization of IoT devices: Rise of the

[3] IBM X-Force Research, The weaponization of IoT devices: Rise of the thingbots (Somers, NY: IBM Security, April 2017).

[4] Akamai, Akamai’s [state of the internet]: security Q4 2016 report (Cambridge, MA: Akamai Technologies, Inc., Feb 2017), 

[5] Gartner, ‘Gartner Says 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31 Percent From 2016’, Gartner press release (7th Feb 2017).

[6] IDC, Connecting the IoT: The Road to Success (Framingham, MA: IDC Corporate USA, 2017).

[7] Lloyd, M., ‘The Internet Of Things That Can Attack You’, Forbes, 17th Feb 2017.

[8] Khalimonenko, A., Strohschneider, J., Kupreev, O., ‘DDoS attacks in Q4 2016’ [blog], AO Kaspersky Lab (2nd Feb 2017).

[9] Schneier, B., Testimony of Bruce Schneier before U.S. House of Representatives Committee on Energy and Commerce Joint Hearing Entitled “Understanding the Role of Connected Devices in Recent Cyber Attacks”, Washington DC, 16th Nov 2016.

[10] Krebs, B., ‘Who is Anna-Senpai, the Mirai Worm Author?’ [blog], Krebs on Security (18th Jan 2017).

[11] Herzberg, B., Bekerman, D., Zeifman, I., ‘Breaking Down Mirai: An IoT DDoS Botnet Analysis’ [blog], Imperva blog (26th Oct 2016).

[12] Radware, Global Application & Network Security Report 2016-17 (Tel Aviv, Israel: Radware Ltd, Jan 2017).

[13] Newman, S., ‘IoT as an Attack Vector’ YouTube [Video] (recorded 20th April 2017, uploaded 2nd May 2017), https://www.youtube.com/watch?v=EbAJI4JqzSc&list=PLjzK5ZtLlc93tcFAsdhfT3EFw1AifNNZJ&index=6 [04:00]

[14] Arbor Networks, 12th Worldwide Infrastructure Security Report, (Burlington, MA: Arbor Networks Inc., Jan 2017).

[15] Schwartz, M., ‘Mirai Tools Up for Advanced DDoS Attacks’ [blog], Bank Info Security (13th March 2017).

[16] Lindqvist, U., Neumann, P., ‘The Future of the Internet of Things’, Communications of the ACM, 60/2 (2017), 26-30.

[17] Greene, T., ‘RSA 2017: The Internet of Things security threat’, Network World (2nd Feb 2017), https://www.networkworld.com/article/3164839/security/rsa-2017-the-internet-of-things-security-threat.html