Internet of Dangerous ThingsHow the IoT Revolution Threatens Your

Small Business Network

� 2017 Calyptix Security Corp. | 800.650.8930 | info@calyptix.com

� 2017 Calyptix Security Corp. | 800.650.8930 | info@calyptix.com

The internet reaches almost every facet of modern life. We wake to the sound of an alarm on a smartphone, watch the morning news on an internet-enabled television, activate a home security system via a web app, and step into an internet-enabled car to drive to work. In the office, an army of gadgets awaits – from IP cameras and thermostats to workstations and servers – all sending data to one another and across the web.

This is the growing Internet of Things (IoT) and it connects billions of devices to the web. It’s a burst of innovation and technology that brings greater convenience and automation to our lives, but it also brings something else: an alarming security threat.

Millions of IoT devices installed today have poor security. For example, many lack the memory or processing power to support basic security functions, such firmware updates to patch security flaws. Others have web interfaces that are trivial for hackers to breach. This combination of always-connected and never-secure makes potentially billions of IoT devices the perfect targets for hackers and malware developers.

The rapid growth and poor security of IoT devices pose a threat to users, but also to any business connected to the web. Millions of the devices are infected with malware, providing powerful weapons to malicious actors to attack businesses and the services they depend on. We are already seeing record-breaking DDoS attacks launched from armies of infected IoT gadgets.

In this report, we reveal the growing threat posed by an Internet of Flawed Things, how this can hurt your small business, and how to protect your company and your network.

intro.2

� 2017 Calyptix Security Corp. | 800.650.8930 | info@calyptix.com

‘Things’ are BoomingThe Internet of Things is growing fast. Businesses of all types and sizes – from warehouses and hospitals, to local governments and retailers – are installing gadgets on the network at a rapid rate. Consumers are behind the trend, too, with strong adoption in IoT devices to help manage their health and homes.

While a clear definition of an “IoT device” does not exist, it is generally assumed to refer to simple devices that can connect to a network and/or the internet.

This includes examples such as a lightbulb that can be controlled with a smartphone app, hospital scales that automatically update patient records with a current weight, and wristbands that track a user’s steps for review in an online dashboard.

More than 15 billion internet-enabled gadgets were installed worldwide as of 2015. This is predicted to double to 30 billion by 2020, and then more than double again to 75 billion by 2025, according to this chart from analysis firm IHS. 1

Expansion of IoT devices in the home and office is all but guaranteed in the coming years. However, a question remains: will the manufacturers of these devices resolve their security problems before it’s too late?

3

� 2017 Calyptix Security Corp. | 800.650.8930 | info@calyptix.com

Weak Security in ‘Things’IT professionals are familiar with finding poor security in popular network devices. Small and home office (SOHO) routers are a perfect example. Millions of the cheap devices are installed across the U.S., and many have security flaws that have persisted for over a decade.

Not much has changed in recent years. This lax approach to security has carried into the IoT market. Millions of devices now sitting on customers’ networks have major vulnerabilities. They are found not only in the devices and their firmware, but also their supporting services.

For example, many IoT devices offer the convenience of a web interface for remote access. However, this creates an additional attack surface. Security flaws have been discovered in devices’ administrative interfaces, web interfaces, mobile applications, update mechanisms, and network services.

Some of the types of vulnerabilities often found in IoT devices and services, according to the OWASP IoT Project: 2

• Username leaks• Weak default passwords• Failure to lock login attempts after multiple

failures• Unencrypted communication, or using

outdated encryption• Lack of two-factor authentication• Inability to update device firmware• Storage location for update files is world

writable, potentially allowing firmware to be modified and distributed to all users

In a 2014 study of the top 10 IoT devices, HP discovered 70% had security vulnerabilities. The total count averaged 25 flaws per device. Most had major security issues, some causing privacy concerns from leaking of personal data. Insufficient password security, lack of encryption, and insecure web interfaces were also discovered. 3

Security flaws found in “smart” stuffed animals, as reported by Motherboard in March, help illustrate the variety of vulnerabilities found in IoT devices. CloudPets sells cuddly toys that allow kids and away-from-home parents to leave messages for each other. Researchers discovered the company had more than 800,000 customer passwords and 2 million customer recordings in an unsecure online database. Further research revealed the toys could be hacked and turned into spy devices.4

The list goes on. IoT devices such as door locks, pad locks, thermostats, and even wheelchairs had new vulnerabilities disclosed in August at DEF CON 24, one of the largest hacker conferences in the world. At least 47 new vulnerabilities affecting 23 devices from 21 manufacturers were revealed during the event. 5

Awareness is growing in the tech industry, security industry, and government agencies about the threats posed by IoT devices. In January, the Federal Trade Commission announced a contest to create a tool to allow consumers to address security concerns caused by outdated IoT software. The agency offered a cash prize of up to $25,000. 6

4

� 2017 Calyptix Security Corp. | 800.650.8930 | info@calyptix.com

Threat to Small BusinessesThe presence of insecure IoT devices on a small business network can bring multiple threats to the company. The most obvious is the threat of the device providing an entry point for attackers to breach the network and pivot to more valuable company assets (like a customer database). Another is the potential for a device to leak personal information about the company’s employees and customers, or proprietary information.

However, another growing threat to small businesses does not involve the IoT devices on their own networks, but instead the IoT devices across the world. This is the threat of growing DDoS botnets.

Growing DDoS BotnetsBotnets are collections of machines infected with malware designed to give a hacker some control over the machines’ behavior. The machines work like a hive of worker bees, executing commands and completing tasks for the hacker, usually without the owners’ knowledge. For example, bots can be used to send massive waves of spam emails.

Hackers and malware developers are well aware of the security flaws in IoT devices and are using them to build stronger botnets. Researchers have recently discovered several malware strains that combine automation with the knowledge of common IoT security flaws to build huge botnets with minimal effort.

These botnets are being used to launch massive distributed denial of service (DDoS) attacks with record-breaking strength. With a few simple commands, an attacker can send traffic from thousands of malware-infected bots to flood a target victim with a tsunami of traffic and take down its servers.

DDoS Attack BackgroundDenial of service attacks come in many flavors but the premise is the same. The goal is to render a target unavailable. An attacker floods the target with data in an attempt to consume all of its resources. If the target is overwhelmed, its performance slows or crashes.

A classic example of a DDoS attack is one that uses thousands of computers infected with botnet malware to flood a single target, such as a web server, with traffic. The volume of traffic overwhelms the server, crashing it, and knocking it offline. This causes a “denial of service” for its legitimate users.

DDoS attacks have been a problem since at least 2000, when a 15-year-old Canadian took out some of the biggest websites of the day, including Amazon, eBay, and Yahoo! The attacks are still launched against networks and web servers every day, and they continue to strengthen. 7

Record-Breaking DDoS AttacksA recent DDoS attack targeted severs operated by Dyn, a major DNS service provider. Dyn estimates 100,000 endpoints flooded its architecture with traffic on Oct. 21, resulting in congestion and service outages for websites such as Twitter, PayPal, Amazon, and Netflix.

Researchers say the attack was launched from a botnet created by the Mirai strain of malware. Mirai builds botnets by searching the web for vulnerable IoT devices, infecting them, and secretly persisting. The botnet can then be used to overwhelm servers with massive waves of traffic.

Mirai is blamed for several other record-breaking DDoS attacks, including an attack against the blog of security reporter Brian Krebs that peaked at around 620 Gbps. In October, Mirai’s author poured fuel on the fire by publicly releasing the malware’s code, freely giving the weapon to any hacker with the skills to deploy it. 8 9

5

� 2017 Calyptix Security Corp. | 800.650.8930 | info@calyptix.com

Not Just Fun and GamesHackers join the world of cybercrime for many reasons, but the most common is to make money. The amount of expertise needed to create an IoT botnet is substantial, and hackers want a return on that investment. Below are a few ways hackers may attempt to turn their botnets into cash and how it will impact small businesses.

ExtortionCriminals are making millions of dollars through ransomware, which is a type of online extortion. Experts predict DDoS attacks will soon be used in a similar fashion. By disrupting an important business service with DDoS, potentially disabling it, attackers can demand payment to stop the attack. While attackers with the best tools are likely to target large companies with deep pockets, less sophisticated attackers with weaker weapons may target smaller businesses with weaker defenses.

SalesHackers have created DDoS weapons and sold them for years. A newer trend is to sell them as a monthly service. For a modest fee, a layman can rent a DDoS cannon and fire at will. They even offer tech support and training. Launching the attack is as simple as entering a target and clicking a mouse. This trend will continue to put DDoS weapons into the hands of more people, some of whom will attempt to squeeze money from businesses of all sizes.

Cloud disruptionSmall businesses can also expect DDoS attacks to inconvenience them indirectly, such as through the cloud. Customer relationship management systems, websites, email servers, accounting systems, inventory systems – more of these services are hosted in the cloud than ever before. Small businesses love the typically low overhead and high availability these services offer. However, as DDoS weapons grow in strength and popularity, experts predict cloud and internet infrastructure providers will see more attacks. This can harm the availability of these services for the small businesses who depend on them.

6

� 2017 Calyptix Security Corp. | 800.650.8930 | info@calyptix.com

Protect Your NetworkIoT has made a small foray into small business environments. Measures must be taken to ensure these vulnerable devices do not put the organization at risk (and also to ensure they do not become part of a hacker’s botnet).

Change default passwordsOne of the major flaws in IoT devices is their use of default passwords, such as “admin” and “12345”. Always change the password on a device installed on the network. Doing so will help protect it from automated malware strains like Mirai that rely on lazy configurations.

Segment the networkIdentify the most important assets on the business network, such as customer data and employee data. Use network segmentation to separate these critical assets from high-risk devices and services on the network, such as IoT devices and guest wifi.

Update the firmwareSome IoT vendors are working to patch security flaws in their devices. Regularly check for firmware updates and apply them. If possible, choose devices that update automatically so patches are applied as soon as they are available. Any new devices purchased for the company should be required to provide easy or automatic firmware updates.

Reconsider IoT useBefore installing a new IP camera or smart thermostat in the office, ask yourself a few questions: Is this device necessary? What do we gain from it? What do we risk by using it? How can we mitigate those risks? Given all this information, should we install it on the business network?

If you choose to use the device, choose one from a manufacturer shown to respond promptly to security issues in the past. Other areas to consider are the ability to update the device’s firmware, the ease of the update process, whether the device’s firmware, the ease of the update process, whether the device’s web interface is secure and maintained, and the type of data the device may collect.

Add DDoS protectionFirewalls, intrusion prevention systems, rate limiters, and even dedicated DDoS protection services are just a few of options available to prevent DDoS attacks and minimize the harm they cause. If you are in a high-risk industry or if you have experienced DDoS attacks in the past, then explore these options starting with basic online research.

7

� 2017 Calyptix Security Corp. | 800.650.8930 | info@calyptix.com

1. HIS: IoT platforms: enabling the Internet of Things (Mar 2016) - https://cdn.ihs.com/www/pdf/enabling-IOT.pdf

2. OWASP Internet of Things Project (Mar 2017) - https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Vulnerabilities

3. HP: Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack (Jul 2014) - http://www8.hp.com/us/en/hp-news/press-release.html?id=1744676#.WL3RvPkrJPa

4. Motherboard: Internet of Things Teddy Bear Leaked 2 Million Parent and Kids Message Recordings (Feb 2017) - https://motherboard.vice.com/en_us/article/internet-of-things-teddy-bear-leaked-2-million-parent-and-kids-message-recordings

5. CSO: Hackers found 47 new vulnerabilities in 23 IoT devices at DEF CON (Sept 2016) - http://www.csoonline.com/article/3119765/security/hackers-found-47-new-vulnerabilities-in-23-iot-devices-at-def-con.html

6. FTC: FTC Announces Internet of Things Challenge to Combat Security Vulnerabilities in Home Devices (Jan 2017) - https://www.ftc.gov/news-events/press-releases/2017/01/ftc-announces-internet-things-challenge-combat-security

7. Wired: Prison Urged For Mafiaboy (Jun 2001) - https://www.wired.com/2001/06/prison-urged-for-mafiaboy/

8. Dyn: Analysis Summary Of Friday October 21 Attack (Oct 2016) - http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/

9. Krebs on Security: Source Code for IoT Botnet ‘Mirai’ Released (Oct 2016) - https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

Sources8