BLOG

Thingbots Transforming to Attack Platforms

SHARE

This is not a drill. The threat of Thingbots is existential and growing with every connected device we install.

I have a Shetland Sheepdog that has something against my toaster. Whenever it's on, he barks and jumps at it as though it's a threat. My husband and I joke that the dog thinks the toaster is a Decepticon. Or we did until I read the latest F5 Labs report. Now I'm wondering if perhaps my dog knows something we don't.  

For years now, F5 Labs has been tracking and reporting on attacks against IoT devices. In addition to the obvious IP cameras and SOHO routers, that includes your TV, oven, refrigerator, and your Keurig coffee maker.

You read that correctly - F5 Labs has seen attack traffic coming from a Keurig coffee maker. Which makes my dog’s suspicion toward my toaster seem not as crazy as it did a moment ago, doesn't it?

The latest F5 Labs report, which covers data on global attacks against IoT devices from January through June 2018, is sobering. Not just because IoT devices continued to be attacked or even that they're vulnerable to attack, but because of the transforming taking place.

The report notes that 74% of "thingbots we know about were developed in the last two years. Thirteen thingbots have been discovered in 2018 alone, and they are no longer single- or dual-purpose bots. There has been a shift to multi-purpose attack bots for hire that deploy proxy servers."

Thingbots are being transformed into attack platforms. They're dynamic and configurable, able to launch a multitude of attacks - from crypto-jacking to packet sniffers, to DNS hijacks to credential stuffing. Attackers are not just recruiting IoT devices, they're training them up to be super-soldiers in their digital armies.

Given the ease with which attackers are able to compromise devices, this transformation is distressing. The ability to leverage a single compromised device for multiple attack types gives the 'owners' of these botnets an economic advantage. Renting out networks of compromised devices has long been a lucrative business, but the ability to diversity your portfolio is an advantage in any market.

Do not be fooled into believing this is not a market. It is, and by transforming thingbots into platforms, attackers are guaranteeing it's a growth market.

Frustrating is that we continue to fuel this market. Manufacturers and service providers do so by relying on weak default credentials that are easily discovered - or guessed. The F5 Labs report notes, "Eighty-eight percent (88%) of the credentials in the top 50 most attacked list from January 1, 2018 through June 30, 2018 have the same username as the password. This includes 'root:root,' 'admin:admin,' and 'user:user.'"

Attackers know this, and they exploit it with alarming success rates. That success is aided by consumer failure to change these default credentials.  And once attackers have control of a SOHO router, it's a simple thing to attack all the devices inside the network that may not have otherwise been accessible.

Like your coffee maker. Or perhaps my toaster.

It will be interesting to see if California's ban on default passwords - set to go into effect January 1, 2020 - will have any measurable impact. The bill requires any connected device sold in California to have a unique password at the time of manufacture or require the creation of one at the first user interaction. Given the global nature of the market, this requirement is likely to impact devices sold anywhere. But that only includes devices sold after January 1, 2020. It won't impact the devices sold now or for the next two years. By then, the global network of compromised devices may be so large that it won't be as big a help as it could have been if it – or a similar law in another state – were put in place years ago.

The latest F5 Labs report is worth the time to read to understand the grave threat thingbots represent to not just digital properties but people as well. Every aspect of our lives is being digitally transformed, and IoT is a significant contributor to that transformation. By arrogating the devices our police, fire, and medical professionals rely on, attackers can impact our health and safety. Control of the digital signage that guides and directs traffic on highways could lead to disastrous results.

The more we rely on IoT devices, the bigger the threat of their compromise becomes.

Connect with F5

F5 Labs

The latest in application threat intelligence.

DevCentral

The F5 community for discussion forums and expert articles.

F5 Newsroom

News, F5 blogs, and more.