The Internet of Things (IoT) could, very soon, become even more of a land of opportunity for hackers – this statement was explained and supported in new research undertaken by Lassonde School of Engineering Professor Natalija Vlajic and her undergraduate student Daiwai Zhou, and published in IEEE Computer magazine’s special 2018 issue on cybertrust.
The researchers discovered how botnets composed exclusively of IoT devices could make cyberattacks on distributed denial-of-service (DDoS) much easier for cybercriminals. Webcams with little to no firewall protection are vulnerable, the researchers emphasize.
The stakes are high. DDoS attacks are considered one of the most serious threats to the operation of individual organizations and businesses, as well as to the stability of the entire internet. Vlajic presses for action against the tsunami of IoT-based DDoS attacks anticipated to arrive in the coming years.
Vlajic sits down with Brainstorm to discuss this research, which was funded by the Natural Sciences & Engineering Research Council of Canada, and the implications and possible impact of these findings. She brings to the table a vast knowledge in IoT, computer security, user privacy, machine learning, data mining, sensor networks and mobile communications.
Q: What were the objectives of this research? What motivated you to investigate this, and why now?
A: Any research on any malware and device vulnerability is always current because there’s always new malware coming, and new vulnerabilities being discovered and exploited by hackers. It’s like a cat-and-mouse game. The more defences we have, the more the hackers press to build even stronger malware. Cybersecurity research will always be current.
What motivated us was the kind of attack called denial of service (DDoS), where there’s a bunch of compromised devices (“bots”) under the control of the hacker and being instructed to send a great deal of traffic, an avalanche, to jam the bandwidth.
The biggest DDoS attack occurred in 2016. Here, the rate of traffic surpassed one terabyte per second, which is huge. And this time, unlike in the past, the compromised devices were not the traditional desktops, laptops and mobile devices, which have antiviruses installed, firewalls and infrastructure to protect them. Instead, the 2016 attack was conducted by means of IoT devices – meaning, any device that’s not your typical device, such as a laptop, intended for direct human use. IoT devices run in the background and indirectly collect information. A webcam or a digital video recorder (DVR) are good examples. Importantly, these devices don’t have enough defence mechanisms like a laptop would, for example, because they’re too young. They’re really a sweet target for hackers.
Q: How did you undertake this research?
A: This research was conducted from our own computers – mine and a few students’. We stress-tested IoT devices in two phases. In phase one, we looked at IP (Internet Protocol) cameras and IoT devices of interest. In phase two, we repeated the phase one devices but expanded to IP or webcams and DVRs. We focused on webcams and DVRs because these constituted 80 to 90 per cent of the devices that were compromised and deployed in the 2016 Mirai attack. We were looking at their general deployment characteristics and whether they can be used as an indirect aid to hackers in an attack.
Each phase was eight weeks of continuous traffic probation of these devices. One phase was in the fall of 2017; the other was in winter and spring 2018.
Q: What were the key findings?
A: We found that there are IoT search engines, similar to Google, which provide IP addresses and how to access them. These search engines are free, in most cases, and available to anyone. This means that any hacker who knows a vulnerability in any type of camera will no longer have to snoop around or do reconnaissance. This search engine, in a matter of milliseconds, gives the IP addresses of these vulnerable devices. Hackers now bypass a few key, time-consuming steps.
For example, if I have a webcam monitoring my house on a public IP address from Rogers, then it could be easily accessed by hackers. In our study, we found this to be the case 60 per cent of the time. These devices are evidently operating without any protection, no firewall.
Q: What kind of impact could this have on businesses, individuals, globally?
A: This could be dangerous for all of us. Any hackers – politically or economically motivated – could reach these devices and use them to attack hospitals, water systems, a university or individual. We should all be really concerned.
Finding these vulnerable devices, which could be used by anyone for any purpose, should be paramount for all of us. Cybersecurity affects everyone.
Q: What would you recommend to fix this problem? What parties should play an active role in prevention?
A: Manufacturers of these IoT devices need to make sure that they have defences built into the devices, to make them safe. The government should introduce policies to make sure that these devices are tested for all known vulnerabilities before being put into the market, and the devices have mechanisms for easy patching. Also, end users should employ due diligence to make sure that their device is not abused against them or someone else.
By Megan Mueller, senior manager, research communications, Office of the Vice-President Research & Innovation, York University, email@example.com