home | greens/efa - iotbotnets · 2017-08-28 · vnm 12.89% ind 12.29% irn 11.18% bra 10.74% chn...
TRANSCRIPT
![Page 1: Home | Greens/EFA - IoTbotnets · 2017-08-28 · VNM 12.89% IND 12.29% IRN 11.18% BRA 10.74% CHN 5.59% RUS 4.14% THA 2.79% PAK 2.67% MEX 2.65% TUR 2.53% GBR 2.25% CRI 2.22% IDN 2.13%](https://reader034.vdocuments.site/reader034/viewer/2022050118/5f4f29d9402d2b1a673b8412/html5/thumbnails/1.jpg)
IoT botnetsScaleoftheproblem&lessonslearned
![Page 2: Home | Greens/EFA - IoTbotnets · 2017-08-28 · VNM 12.89% IND 12.29% IRN 11.18% BRA 10.74% CHN 5.59% RUS 4.14% THA 2.79% PAK 2.67% MEX 2.65% TUR 2.53% GBR 2.25% CRI 2.22% IDN 2.13%](https://reader034.vdocuments.site/reader034/viewer/2022050118/5f4f29d9402d2b1a673b8412/html5/thumbnails/2.jpg)
Examples
• In2016,IoT botnetscausedseveralDDoSattacksexceeding100Gbps:• Russianbankingsystem:InNov2016,overtwodays,fiveofRussia’smajorbankssufferedamassiveDDoSattackfromabotnetwithmorethan24,000bots.
• Dyn (USDNSprovider):OnOct21,2016upto100,000compromisedDVRs,videocameras,andotherembeddedsystemsattackedDyn.
• BlogofBrianKrebs:OnSep20,2016thewebblogofacybersecurityjournalistwashitwithaDoS,withpeaktrafficataround620Gbps.
• TheUScandidates’campaignwebsites:DuringtheUSelectioncampaign,bothcandidatesweretargetedwith30-secondattacks.
• OVH(Frenchcloudcomputingcompany):OnSep20,thehostingproviderOVHwastargetedwithadistributed1.2Tbps attack.152,000infectedIoT deviceswereusedtolaunchthelargestDDoSattackcampaigneverrecorded.
• RioOlympicGames:DuringAugust2016,multipleDDoScampaignsagainsttheservershostingdataaboutthe2016OlympicGameswerecarriedoutforseveralmonths,peakingat540Gbps.
June7,2017 [email protected]@privacy__ninja 2
![Page 3: Home | Greens/EFA - IoTbotnets · 2017-08-28 · VNM 12.89% IND 12.29% IRN 11.18% BRA 10.74% CHN 5.59% RUS 4.14% THA 2.79% PAK 2.67% MEX 2.65% TUR 2.53% GBR 2.25% CRI 2.22% IDN 2.13%](https://reader034.vdocuments.site/reader034/viewer/2022050118/5f4f29d9402d2b1a673b8412/html5/thumbnails/3.jpg)
ProblemsofIoT devices
• Hardcodedpasswords/defaultbackdooraccounts• Weakauthentication• Unsecuredports• Oldandlowqualitysoftware• Patchability/Frequencyofpatches• ScalabilityofattacksduetoeasydiscoverabilityandhomogeneityofIoT devices• Nofinancialincentivetomakeproductsmoresecure; cheapandcompetitivemarket
June7,2017 [email protected]@privacy__ninja 3
![Page 4: Home | Greens/EFA - IoTbotnets · 2017-08-28 · VNM 12.89% IND 12.29% IRN 11.18% BRA 10.74% CHN 5.59% RUS 4.14% THA 2.79% PAK 2.67% MEX 2.65% TUR 2.53% GBR 2.25% CRI 2.22% IDN 2.13%](https://reader034.vdocuments.site/reader034/viewer/2022050118/5f4f29d9402d2b1a673b8412/html5/thumbnails/4.jpg)
Malwarebehavior
• Mostcommon:Mirai &Bashlite• Scan-and-spreadWorms• Eachbotisremotelycontrollablewhenandwhennottoscan,asopposedtocontinuousscansofpastworms(->difficulttomeasuresizeofbotnet)• Targetsdefaultoreasy-to-guesscredentials
June7,2017 [email protected]@privacy__ninja 4
![Page 5: Home | Greens/EFA - IoTbotnets · 2017-08-28 · VNM 12.89% IND 12.29% IRN 11.18% BRA 10.74% CHN 5.59% RUS 4.14% THA 2.79% PAK 2.67% MEX 2.65% TUR 2.53% GBR 2.25% CRI 2.22% IDN 2.13%](https://reader034.vdocuments.site/reader034/viewer/2022050118/5f4f29d9402d2b1a673b8412/html5/thumbnails/5.jpg)
CauseofVulnerability
• Defaultlogins/weakcredentials• VastmajorityofIoT malwaredoesnotactuallyexploitasoftwarevulnerability,butabusesweakdefaultlogincredentialstocompromise• VastmajorityofbotsspreadviaTelnetonport23
• Homogeneity• Thiseaseofabuseallowsdozensofless-experiencedadversariestojumponthebandwagon
• Lifespan• Low-profitproductswithlifespanofseveralyears,noeasywaytopatchvulnerabilities
June7,2017 [email protected]@privacy__ninja 5
![Page 6: Home | Greens/EFA - IoTbotnets · 2017-08-28 · VNM 12.89% IND 12.29% IRN 11.18% BRA 10.74% CHN 5.59% RUS 4.14% THA 2.79% PAK 2.67% MEX 2.65% TUR 2.53% GBR 2.25% CRI 2.22% IDN 2.13%](https://reader034.vdocuments.site/reader034/viewer/2022050118/5f4f29d9402d2b1a673b8412/html5/thumbnails/6.jpg)
Scale
• We’vejustseenthetipoftheiceberg• Between1.2and2Millioninfecteddevices• Botnetupstreambandwidthbetween1and3Tbps• MostlysimpleDDoSattacks• Atleast760differentdevicesaffectedbyIoTmalwareMirai &Bashlite
June7,2017 [email protected]@privacy__ninja 6
![Page 8: Home | Greens/EFA - IoTbotnets · 2017-08-28 · VNM 12.89% IND 12.29% IRN 11.18% BRA 10.74% CHN 5.59% RUS 4.14% THA 2.79% PAK 2.67% MEX 2.65% TUR 2.53% GBR 2.25% CRI 2.22% IDN 2.13%](https://reader034.vdocuments.site/reader034/viewer/2022050118/5f4f29d9402d2b1a673b8412/html5/thumbnails/8.jpg)
Originofbots
VNM IN
DIRNBRACHNRUSTHAPAKMEXTURGBRCRIIDNKORARGUSALBYCOLTWN ITA
700k
600k
500k
400k
300k
200k
100k
800k
VNM12.89%
IND12.29%
IRN11.18%
BRA10.74%
CHN5.59%
RUS4.14%
THA2.79%
PAK2.67%
MEX2.65%
TUR2.53%
GBR2.25%
CRI2.22%
IDN2.13%
KOR1.81%
ARG1.78%
USA1.62%
LBY1.47%
COL1.30%
TWN1.26%
ITA1.01%
June7,2017 [email protected]@privacy__ninja 9
![Page 9: Home | Greens/EFA - IoTbotnets · 2017-08-28 · VNM 12.89% IND 12.29% IRN 11.18% BRA 10.74% CHN 5.59% RUS 4.14% THA 2.79% PAK 2.67% MEX 2.65% TUR 2.53% GBR 2.25% CRI 2.22% IDN 2.13%](https://reader034.vdocuments.site/reader034/viewer/2022050118/5f4f29d9402d2b1a673b8412/html5/thumbnails/9.jpg)
Outlook
• IoT malwarestillinitsinfancy• Malwarewillbecomemoresophisticatedassecuritymeasuresgetbetter• Moretypesofattacks• ransomware,bitcoinmining,spam,clickfraud,andsocialmediabots• NotlimitedbyIoT OS
• IPv6• MayimprovesecuritybymakingitmoredifficultforattackerstoscanandfindvulnerableIoT devices,evenforsearchservicessuchasShodan
June7,2017 [email protected]@privacy__ninja 11
![Page 10: Home | Greens/EFA - IoTbotnets · 2017-08-28 · VNM 12.89% IND 12.29% IRN 11.18% BRA 10.74% CHN 5.59% RUS 4.14% THA 2.79% PAK 2.67% MEX 2.65% TUR 2.53% GBR 2.25% CRI 2.22% IDN 2.13%](https://reader034.vdocuments.site/reader034/viewer/2022050118/5f4f29d9402d2b1a673b8412/html5/thumbnails/10.jpg)
Securitylessons
• Iot securityrepeatingthesameevolutionasPersonalComputersecurity• Botnetskeepgrowingatafastpace• Devicesmusthaveandenforcesecurecredentials,nodefaultlogin• Regularsecurityupdatesbymanufacturerimportant,butincentivetoinstallisnecessary(e.g.autoupdates)• Manymoresophisticatedsecuritymeasures(e.g.coderandomization)arenotsuitedforIoT
June7,2017 [email protected]@privacy__ninja 12
![Page 11: Home | Greens/EFA - IoTbotnets · 2017-08-28 · VNM 12.89% IND 12.29% IRN 11.18% BRA 10.74% CHN 5.59% RUS 4.14% THA 2.79% PAK 2.67% MEX 2.65% TUR 2.53% GBR 2.25% CRI 2.22% IDN 2.13%](https://reader034.vdocuments.site/reader034/viewer/2022050118/5f4f29d9402d2b1a673b8412/html5/thumbnails/11.jpg)
Regulatorychallenge
• Customerprotectionoptions• Vendorliabilitytowardscustomerstoprovidesecurityupdatesfortwoyears(notice&patch);nounpatchable systems• Shiftofliabilityifcustomerschoosetonotupdatetheirsystems(similartoproductrecall)• Collectiveactionclauses
• Domesticfixtoaninternationalproblem• OnlyrelevantfordevicessoldintheEU• LittleimpactforprotectionfrombotnetattacksintheEU
ØInitialise &supportsectorspecificsecuritystandardsandcertificationØInternationalagreementsnecessary
June7,2017 [email protected]@privacy__ninja 13
![Page 12: Home | Greens/EFA - IoTbotnets · 2017-08-28 · VNM 12.89% IND 12.29% IRN 11.18% BRA 10.74% CHN 5.59% RUS 4.14% THA 2.79% PAK 2.67% MEX 2.65% TUR 2.53% GBR 2.25% CRI 2.22% IDN 2.13%](https://reader034.vdocuments.site/reader034/viewer/2022050118/5f4f29d9402d2b1a673b8412/html5/thumbnails/12.jpg)
─┐CISPA|CenterforIT-Security,PrivacyandAccountability│20/06/2017└─