Stop the IoT attack that comes before THE ATTACK

Lori MacVittie Thumbnail
Lori MacVittie
Published July 06, 2017

Generally speaking, the use of the term “attack” has come to mean an attempt to deny service to an organization. That’s likely because the frequency and volume of DDoS attacks have had serious consequences for high-profile organizations. The resulting spate of coverage has cemented the term ‘attack’ in most minds to mean only one kind of attack: a DDoS attempt against an organization.

But there are other attacks that come before a DDoS, and it is those we need to focus on if we’re going to start addressing the growing threat arising from the legion of “thingbots” that grows as a result of ignoring them.


Every prediction today from analysts and pundits alike predicts rapid, nearly exponential growth in the number of things attached to our networks. The sensational splash of attackers exploiting a consumer-grade thing may make them seem more prolific, but the reality is that organizations are consuming IoT devices in copious amounts. And attacks on those devices are following suit. If you think about the most visible of these – road signs – and how often they’ve been ‘hacked’, you’ll quickly recognize just how proliferate “things” truly are.

Consider a recent survey noting that the average number of devices in an organization – not a home – will double in the next two years. The same survey further makes note that a mere 28% of those know where all those things are. That’s right, the majority of folks only know a portion of the devices and things connecting to the Internet in their organization. A 2016 SANS Institute survey focusing on the financial industry found much the same, with fewer than 40% claiming full visibility into devices – including IoT – and around half claiming at least partial visibility.

With F5 Labs research showing a staggering 1373% annual growth rate in attacks seeking those devices, one has to consider how we are currently approaching security for such a vast legion of would be thingbots. Because as you might recall an Arxan/IBM survey noted: “a staggering 44% admitted they aren’t doing anything to prevent an attack. Oh, they’re concerned about a breach occurring through those apps—58% fingered IoT apps and 53% mobile—but they aren’t doing anything about it.”

Now call me crazy, but it would seem that preventing the initial ‘recruiting’ attack from succeeding would be a good place to start. Generally speaking, this means hardening the management plane by locking down SSH and telnet, and then securing any web interfaces that may be present.

That’s because the primary methods of compromising these devices remains using default passwords to gain access to their command lines, or by exploiting vulnerable web interfaces. That’s the purpose behind the growth in telnet scans, after all. Attackers and compromised devices scan for other devices and attempt to gain access using known defaults and then recruit the device by infecting it, too.

iot hunting things

Paying attention to outbound traffic is important, as it may expose compromised devices as they join the legions of existing thingbots and attempt to exploit other devices outside (or inside) your network. Watching for “new” devices exhibiting unusual behavior – like excessive traffic or connection attempts – may pinpoint bad actors already in your network that need to be addressed.

According to recent research, 94% rely on a traditional network firewall to handle IoT threats. And yet many of the threats might just be originating inside your own network from already compromised devices or via web-interfaces that aren’t full secured by just a network firewall. And given the percentages of folks who don’t know where these devices are in the first place, it’s unlikely the firewall is blocking access on a destination IP basis and we know blocking by source IP isn’t very successful a tactic given the ease with which attackers change and distribute attacks.

So take advantage of a WAF to protect management interfaces as well as user-facing apps to shut down attempts to exploit common web-based vulnerabilities in interfaces that may provide attackers an easy route to compromise as well. Whether it’s a vulnerability that enables the deposit of malware or simply the means to enable access to the command line, web-based attacks against the management interface may be the fastest route to recruiting devices into the growing thingbot army.

Too, it’s unlikely to catch those recruiting attempts that may take advantage of IoT protocols like MQTT or CoAP, where payload inspection may be required. While the majority of attacks today take advantage of protocols traditionally used for management of devices (like telnet and SSH), the threat of direct attacks on devices via MQTT is already recognized. To wit, OWASP has already begun a project to help secure IoT in much the same way it promotes web security. You may want to consider an IoT gateway to secure devices from native protocol exploitation that may lead to compromise.

In a nutshell, consider the following for securing your IoT devices:

  • Change default passwords (prevention)
  • Lock down telnet / SSH access (prevention)
  • Secure web interfaces (use a WAF) (prevention)
  • Invest in an IoT gateway (prevention)
  • Monitor for unusual intra-network traffic (detection)
  • Watch for new initiators of outbound traffic (detection)

Attacks on IoT devices seems inevitable at this point. The vast legions of these devices already connected to networks (and accessible via the Internet) is simply too inviting for attackers to ignore given their well-known lack of attention to security. It’s important to prevent those in your network from becoming part of the problem, and that means detecting and preventing the attacks that come before THE ATTACK.

Because it’s going to be quite embarrassing if some day your own devices DDoS you.

SANS also has a great resource on detecting attacks against the IoT that’s totally worth the read.