I sat in on an interesting presentation at DefCon 2017, It was titled “The call is coming from Inside the house!  Are you ready for the next evolution of DDoS attacks?“ It was given by Steinthor Bjarnason of Arbor Networks.

He discussed the consistent evolving threat to our networks. It’s common practice to focus on protecting your network from unwanted outside penetration, but IoT (internet of Things) devices pose what could be an even greater threat.

IoT devices consist of all internet ready devices. Their growth has exploded in recent years. They can be everything from tv’s, toasters, coffee makers, doorbells, lighting devices, thermostats, printers, webcams etc. You name it and some vendor has made it internet ready.  You don’t necessarily think that IoT devices behind a firewall could be turned into a weapon, but that’s a very real threat.

An estimated 95% of all IoT devices are sitting behind a corporate firewall, according to Bjarnason. He used an iceberg as an example, when looking at IoT devices. 5% of these devices are publicly addressable (above surface) while 95% are locally/private addressable (below surface).

On October 21st, 2016, Mirai created major havoc on the internet.  Mirai, Japanese “for the future” is malware that executed multiple DDoS attacks against systems run by DNS provider Dyn. The weapon of choice was massive DNS queries against Dyn systems. Mirai was able to recruit millions of IoT devices to perform these lookups. Unfortunately the source code for malware like Mirai is published freely in Hacker forums. It was believed that this attack was originated by angry teenagers upset with a gaming company.  Scary, huh?

Mr. Bjarnason was intrigued by a research finding that the Mirai Windows Trojan launched attacks in many different ways. This malware pushes a binary on these devices that recruits an army of botnets. This Trojan could then initiate a scan of locally addressed devices (i.e. private networked devices). If it were to somehow infect your corporate/home IOT devices the results could be devastating,  Unrelenting outbound queries thru your corporate/home routers could crush a network.

The flood of IoT devices to the market will only make things more difficult to control. Many router and webcam devices come with default passwords that are never changed. Adding to the problem are issues remotely patching devices, leaving them vulnerable to older established exploits. Some vendors leave backdoors on their devices for patch management  that are being exploited as well.

The Mirai incident could have been many times worse, Especially if the trojan had effectively spread to many of the internal networks.  Network segmentation is your friend, telnet is the enemy.

Here is a link to his presentation.