Connected devices make our lives easier but are now turning against us. Zombie-IoT is walking around the Internet lately. Before delving deeper into its meaning, let’s look at the origin of the word Zombie, Apparently in 1871 in the west of Africa the words “Kikongo zumbi” meaning fetish and “Kimbundu nzambi” meaning something like God are found. So originally the name of a snake god, later the word Zombie got its meaning “reanimated corpse” in a voodoo cult.
Since a Zombie is so called will-less person usually used for some evil purpose, zombie-IoT is easily explained. If we can turn a piece of IoT hardware into a device controlled by something else (without it or its surroundings initially knowing it) and use it for something malicious we have a zombie-IoT-device. If we then let the “zombie-IoT-virus” spread, zombie-IoT is born.
For this, there are lots of examples lately. Look at Hajime, Mirai, and BrickerBot and we see a common denominator: they are all botnets infecting IoT devices, waiting to come “alive”.
- Mirai is an IOT based botnet created using malware and was the reason for Dyn’s servers to go down at the end of 2016. This big ddos attack caused big organizations like Twitter and Netflix to go down.
- Hajime means “beginning” in Japanese. It is an IoT worm that builds a P2P botnet from IoT devices. It does this by exploiting several common security gaps that exist in IoT devices like smart thermostats and dishwashers.
To understand the possible scale, let’s look at the numbers. According to Gartner, there were close to five billion IoT devices on the market (including the automotive industry) by the end of 2015. If the same estimates are correct, in 2020 this figure will grow to over 25 billion.
This problem could get worse when all stays the same. A shift is needed towards security in the IoT field at all levels:
- producers, they need to build their software and hardware with security in mind,
- regulators, they have to put proper constraints in place to enforce higher standards
A great example of how quick infection is and how fast your IoT device can be compromised is found in the JideTech camera. Security researcher Rob Graham decided to see just how much security he could expect from a newly purchased JideTech camera.
He set up the camera to isolate it from the rest of his home network, just in case the worst happened.
It ends up he had good reason to be concerned, though the speed at which this new camera became a problem was shocking even to him.
Less than two minutes – just 98 seconds – after he plugged it in, it was compromised, infected with the Mirai malware that’s been turning IoT devices into botnet zombies to attack internet services.
You can follow the outline of his experience on Twitter (@ErrataRob), where he posted a play-by-play as he watched his new camera become infected.
Zombie-IoT is all around us. It is as a new non-functional quality attribute; we need to cover it in the test strategies you will write tomorrow. Think about Zombie-IoT when designing new IoT solutions and mitigate the possibility of attacks up front. We can use some specific solutions for the different bots that do the attack. Take for example the BrickerBot. The firm said it provides five solutions to make avoid a BrickerBot attack:
- Change the device’s factory default credentials.
- Disable Telnet access to the device.
- Network Behavioral Analysis can detect anomalies in traffic and combine with automatic signature generation for protection.
- User/Entity behavioral analysis (UEBA) to spot granular anomalies in traffic early.
- An IPS should block Telnet default credentials or reset telnet connections.
And let’s not forget about end users. Even you as a home user can contribute to the solution, in multiple ways:
- The first step would be to buy quality IoT devices that are up to current security standards, and to avoid cheap substitutes that are being built without a focus on this aspect.
- You can also run tests to find vulnerabilities in your hardware – such as default factory passwords or out-of-date software (firmware) – and change or patch them.
- Carefully set up IoT devices that you already have back home, such as your router. You can find advice on how to do this in one of our recent articles focussing on attacks in Brazil.
Zombie-IoT is great reading material, I’ll leave with a couple of great reads to ponder your survival of the Zombie apocalypse:
- Internet of Things gets its zombie apocalypse, and this is just the beginning (http://mashable.com/2016/10/22/internet-of-things-future-security/#8nokFN6qUqqw)
- The IoT zombies are already at your front door (https://iapp.org/news/a/how-poorly-secured-iot-devices-can-take-down-your-website/)
- Trick or threat? How zombie IoT devices surprised the internet (https://www.welivesecurity.com
- The Day the Toaster Turned – an IoT Apocalypse (https://www.linkedin.com/pulse/day-toaster-turned-iot-apocalypse-amanda-price)
About Tom Van de Ven
Tom van de Ven is active in the field of High Tech testing for 15 years. As a High Tech test expert he is a frequently asked sparring partner for Sogeti High Tech customers with regard to starting/professionalizing test projects. Besides a multitude of test assignments (eg. in the field of healthcare, semiconductors, agriculture and automotive) he is an active member of the Sogeti High Tech Test Competence Centre and a speaker for High Tech seminars. Tom uses his experience in a role as a coach for (starting) High Tech test engineers and is constantly looking for improvements in High Tech test methodologies. He is the author of the book that combines Internet of Things and TMap: IoTMap!!!. He also teaches and develops several testing courses in the embedded and high tech domain. If not teaching, testing a tunnel or promoting “Quick Tech Testing” you can find him setting up a high tech test automation framework for the odd customer.
More on Tom Van de Ven.