[SingCERT] Enhancing the Security of Internet-Connected Devices

Published on Wednesday, 26 October 2016 17:30

Overview

Distributed Denial of Service (DDoS) attacks happen when vulnerable internet-connected devices, such as CCTV, IP cameras, printers and Wi-Fi routers, are compromised by malware and used as bots in a DDoS attack. In one notable case last week, the attacks blocked visitors in USA from accessing popular websites, including Twitter, Spotify and Netflix.

This advisory provides information on DDoS attacks, and how members of public can protect themselves from inadvertently aiding such an attack.

What is DDoS?

DDoS is a type of cyber-attack that makes use of a network of multiple compromised internet-connected devices, commonly known as “botnet”, to overwhelm a specific server with requests or traffic, causing it to be unreachable or unavailable.

Some symptoms of a DDoS attack include:

  • Unusually slow network performance
  • Unavailability to a specific website
  • Disconnection of a wireless or wired internet connection
  • Denial of access to internet services for a long period of time

For the case in the USA on 21 October 2016, the DDoS attack targeted a Domain Name System (DNS) service provider Dyn, which resulted in websites and services being inaccessible. DNS is like the telephone directory or roadmap of the Internet, which translates URL (such as www.example.com) into an IP address.

What Has Changed?

In recent DDoS attacks, a type of malicious software (or malware) was used. This malware is known as Mirai. This new malware scans the Internet for Web-connected devices and employs a range of techniques (e.g. password cracking) to gain access and compromise the device. Once compromised, the device can be used to launch malicious activities (e.g. DDoS attacks). Devices that are vulnerable include cameras, printers and routers that are connected to the Internet, and whose owners have not changed the default passwords.

Impact

The source code for Mirai has since been released and is now available on the Internet. This raises the likelihood of more infections and more DDoS attacks, to the magnitude of what we have seen recently.

Users with vulnerable internet-connected devices could be compromised to form part of a DDoS botnet. This means that the device could become an inadvertent accomplice which add on to increase the scale of the DDoS attack.

This also means that the hacker has taken over control of the device and could now access the content of the device, including any personal or sensitive data that is within the system (e.g. peeping into CCTV/IPcam’s feeds, or access into sensitive personal photos and documents stored within).

Recommended Actions

Securing your Internet-connected devices is critical to protecting your own system. It also helps to ensure that your Internet-connected devices at home are not inadvertently part of a network of “bots” that can be activated to attack others.

SingCERT recommends taking the following steps to safeguard yourselves and in turn, the Internet:

  • Check for software updates regularly and install them: If your device, such as the Wi-Fi router, has a firmware update available, install it immediately. If you have fallen behind on operating system updates, consider activating fully automatic updates so you won’t forget again. A hole that could be patched is a hole that should be patched.
  • Turn off remote access to your Internet-connect devices like cameras and printers: Some connected devices allow others to access it from a location away from you. That may be useful for troubleshooting, but crooks will exploit that gap to enter your system or network. Check that your device allows you to block such remote access, and turn on that option.
  • Change all device passwords so you don’t have any defaults. Many devices come pre-configured with usernames and passwords such as “admin” or “password” respectively. These can easily be found by hackers and by malware like Mirai. A default password is as bad as no password, thus it is important for you to change the default password immediately.
  • Scan your own network for security holes. For advanced users, there are tools such as Nmap can help you find holes before the crooks do.

References

http://www.pcworld.com/article/3134056/hacking/an-iot-botnet-is-partly-behind-fridays-massive-ddos-attack.html
https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/
https://www.rt.com/viral/363778-internet-things-ddos-attack/
https://threatpost.com/mirai-fueled-iot-botnet-behind-ddos-attacks-on-dns-providers/121475/
https://blog.radware.com/security/2016/10/fridays-massive-ddos-attack-u-s-happened/
https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/
https://nakedsecurity.sophos.com/2016/10/24/dyn-ddos-what-can-we-do-right-now-to-help-prevent-the-next-attack/