Insecure IoT: A Modern Day Spy
Popular current events create large targets for cyber attack activity. With the draw of large crowds and attention focused on an event, attackers with various motives attempt to leverage the opportunity. Attackers can disrupt infrastructure, steal data, promote a cause, or attempt to create eavesdropping devices out of insecure IoT devices. The latter motive was suspected in a surge in cyber attacks during the July 16 Tump-Putin summit which took place in Helsinki, Finland. Security researchers at F5 noticed a surge in attacks for services that are commonly used to steal data and compromise devices: SIP traffic, SQL, and Telnet. A similar surge in attack traffic was seen during the Trump-Kim summit in Singapore last month.
Instead of coordinating and risking a human asset on the ground to plant an eavesdropping device in the hotel of a diplomat or high-ranking official, spy agencies today instead look to insecure IoT devices to provide a beachhead to launch further attacks. Gone are the days of intelligence agents dressing up as HVAC repair personnel to plant a bug in a hotel room. This is similar to the advent of Unmanned Arial Vehicles (UAVs) reducing the risk and costs associated with using human pilots. With the widespread use of IoT devices with desperate security controls, attackers simply need to remotely control these devices to gain the information they desire.
Events such as planned international summits bring together a concentration of high-valued intelligence targets in one location. The Helsinki attacks focused on SSH, used to remotely control and monitor IoT devices, and SMB, a file transfer protocol. Security researchers saw attacks focusing on brute-forcing attempts to remotely take over insecure IoT devices. For example, the Satori and Mirai botnets contain lists of hard-coded credentials to many popular IoT devices such as security DVRs, IP cameras, and routers.
Using technology to target people of interest is not necessarily new. However, the interconnected world and the rise of IoT devices without security in mind has created an enormous attack surface. Insecure IoT affects more than just smart homes, simple routers are being used by attackers to reflect and redirect their attacks making them more powerful and difficult to trace.
Protecting IoT devices is akin to guarding a screen door. Until there is a standard to secure and securely update IoT devices, security practitioners will be fighting an uphill battle.
Using services like Quad9 DNS, a free service from IBM’s X-Force, is a quick and effective way to prevent IoT devices from communicating with known bad destinations. Properly segmenting networks so IoT devices have no access to sensitive or production networks greatly reduces the impact of a breach when an IoT device has been compromised.
In addition to blocking known bad destinations by DNS, clever attackers are getting more savvy and using typically allowed protocols such as DNS and VOIP (SIP) and exfiltrating data out using methods such as DNS tunneling. A next generation firewall capable of doing deep packet inspection can detect and block this exfiltration method.
I personally own several IoT devices such as a Nest Thermostat and an Amazon Alexa-enabled device. These devices are placed on a guest network (away from my NAS) with static IP addresses. These static IP addresses are then given explicit ACLs through a cloud firewall and are only allowed to communicate with servers associated with the devices (Nest, Amazon, etc.). If any of these IoT devices become compromised, they will only be allowed to connect to authorized destinations and not route command and control servers.
At the time of publication, there is no evidence to suggest that the attacks were successful.