Sloppiness Beats Malicious Behavior

Still, my concerns became mainly about state-sponsored espionage or terrorism, through back doors and dormant malware lurking inside the devices. What I didn’t expect is that the Fifth Column could be hijacked by other players, raising the threat exponentially, thanks to the vast numbers of network-attached devices that enable the IoT. What’s more, that Fifth Column has become a threat not only due to maliciousness in the design of those IoT products, but also careless. Sloppy programming. And a lack of thorough testing.

Case in point: On October 21, 2016, numerous high-profile websites such as Twitter, Spotify, Amazon and WhatsApp, were hit with a serious (and successful) Distributed Denial of Service (DDoS) attack. Who was behind the attack? Nobody is sure, at least as far has been publicly disclosed – it might have been state-sponsored actors, or it might have been ordinary hackers demonstrating their tech prowess. The attack vector, however, was a nasty piece of malware called Mirai, which apparently works by continuously scanning the Internet for IoT devices with factory default administrative passwords.

Once Mirai finds those devices, attackers can then attempt to take over those devices and alter their firmware to turn them into botnet zombies able to do, well, just about anything. In this case, Mirai captured over 100,000 webcams, digital video recorders (DVRs) and other low-intelligence devices and turned them into DDoS attackers, all targeting Dyn, a DNS server based in New Hampshire.

Mirai wasn’t able to take over webcams and DVRs because the manufacturer of those devices inserted a back door at the behest of a government’s spy agency. Instead, the manufacturer of the device circuit boards and firmware, Hangzhou Xiongmai Technology, was simply careless in not requiring customers to change default passwords, thus enabling Mirai’s botnets. Xiongmai is the OEM for cameras and DVRs sold by many other companies; I’d never even heard of them prior to this. And thanks to them, and to other careless manufacturers, the IoT can be turned against us… by anyone with access to the Mirai source code. Oh, did I mention that the Mirai source code is freely available on the Internet?

But, let’s not be too hard on poor Xiongmai. Other IoT devices have been proven to be hackable – and once such hacks are discovered, they can be weaponized and packaged for use by any motivated script kiddie, whether it’s a state actor, disgruntled hacker or for-profit criminal gang.

In a disturbing paper called “IoT Goes Nuclear: Creating a ZigBee Chain Reaction,” four researchers show how to create a Fifth Column using nothing more than Internet-connected light bulbs. Here’s how they start:

Within the next few years, billions of IoT devices will densely populate our cities. In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction, provided that the density of compatible IoT devices exceeds a certain critical mass. In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform.

The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack.

Watch their videos…. the Cambridge Five would be envious of their mischief. For now… I’m unplugging my Internet-connected light bulbs. Perhaps you should too.