A new botnet recently started recruiting IoT devices. The botnet uses hosted servers to find and infect new victims leveraging one of two known vulnerabilities that have become popular in IoT botnets recently:
When Apple unveiled the iPhone X, it catapulted artificial intelligence and machine learning into the limelight. Facial recognition became a mainstream reality for those who can afford it. A few months later, Vietnamese cyber security firm Bkav claimed it was able to bypass the iPhone X’s Face ID using a relatively inexpensive $150 mask. The claim is still up in the air and while it has not been accepted to its full extent, no one was actually able to refute the claim based on scientific facts.
It’s difficult to have missed the headlines on the new IoT botnet threat that is forming and the storm that might come with it. Why is the world under the spell of this new threat? What makes it different from Mirai? Why could it potentially become the most threatening botnet ever seen?
To read Part 1 of the series, click here.
To read Part 2 of the series, click here.
Blockchain in the IoT world
A blockchain implementation in the IoT world is probably not best served by a public blockchain based on Proof of Work. The inefficient consumption, not to say waste, of energy to generate Proof of Work is pretty much orthogonal with the premise of IoT devices, which have to consume less energy and are in some cases battery powered. POW comes at a severe cost and it does not add much value to the use case of a distributed ledger used within a consortium of partners. Hence the implementation based on Proof of Stake provides a better starting point for any attempt to chainify an IoT ecosystem where a consortium of partners is adopting a new business application. The security would then be based on a limited number of centralized nodes or cloud servers and by design it does not rely on independence of central trust as do the public cryptocurrencies. Most blockchain use cases I came across start from the assumption that there is a set of parties or a consortium of partners that have a common interest in a specific ledger, and while it might serve the larger public in terms of better quality and faster service, the consumer is not directly concerned with or interested in the ledger itself, only the parties who provide the service and rely on the ledger for remuneration will be.
To view Part 1 of this blog series, click here.
Circling back to our main interest, the world of the IoT. In order to create a blockchain shared between autonomous devices that fulfills the security properties required to ensure operation of the ecosystem, the ‘good’ devices need to accumulate a minimum 51% share of the compute power in the system. To put this requirement in perspective, consider a Raspberry PI version 3, which represents a fairly well equipped IoT device in terms of memory, storage capacity and CPU power – know that most of the current IoT devices are far behind in terms of their computing capabilities. A RPi3 is able to generate about 10 hashes per second for the Ethereum POW. Your kid’s gaming rig, equipped with an Nvidia GTX1070 GPU, is able to perform this task at a rate of 25.1 million hashes per second. Meaning that in general, to have the same probability of completing the Proof of Work before any hacker with a modern day PC, the system needs to be composed of at least 2.5 million RPi3 devices. Or to put it differently, any IoT system using the same distributed trustless consensus paradigm used by Bitcoin needs to be larger than 2.5 million devices before it could be deemed secure from DoS and reverse attacks by individuals. This is not even taking into account government-sponsored or organized crime hackers as they have access to far more powerful systems, or people who have purposefully built hardware based on FPGAs typically used to efficiently mine Bitcoins.
Cryptocurrencies allow people to move money the same way they move information on the internet. As of June 25, 2017 more than 900 different cryptocurrencies are being traded. As of July 2017, the most popular and alpha cryptocurrency, the Bitcoin (BTC), has a market cap of over $40 billion USD and trades with daily volumes averaging $1 billion with peaks up to $2 billion per 24h. Blockchain, the foundational technology behind all cryptocurrencies, is not an easy-to-understand technology as it is a weird combination of cryptography, distributed systems, economics, game theory, some graph technology, and politics. The most common reason for the existence of the many different blockchains for cryptocurrency are ethically dubious money-making schemes. Most investors and consumers are incapable of evaluating the blockchain technology details and convinced themselves that blockchains will make them loads of money and/or make the internet secure and/or overthrow the government. Besides providing real opportunities for cyber criminals and high risk traders, the blockchain has sparked the interest of many industries, IoT being one of them. As the era of IoT is upon us and the number of IoT devices and size of IoT ecosystems is growing exponentially, blockchain is tipped as one of the technologies that will fuel the future of IoT.
After the Dyn attack by Mirai in October 2016, we knew we were facing an infliction point which would reshape the DDoS threat landscape for the coming months or years. The Internet of Things (IoT) would become an important part of that new landscape. After the attack, the inadequate security state of IoT and the unsophisticated nature of the botnets exploiting IoT devices such as IP cameras, DVRs and routers became apparent and the center of attention of many security researchers and reporters. IoT became the playground for many new bots and slowly turned into a battleground where bad bots, white-hat bots and vigilante bots are battling for ever-growing numbers of poorly designed and insecure devices.
BrickerBot uses a network of globally distributed devices that are passively detecting exploit attempts from devices infected with IoT bots such as Mirai and Hajime. BrickerBot reacts to an exploit attempt by scanning the source of the exploit for a set number of ports, trying to secure the device (assumption based on Janit0r statements) and if not able to, ultimately attempting to brick the device using exactly 90 brick sequences over the telnet session.
As long as IoT devices stay clean from any of the known IoT bots, there is no reason to fear the BrickerBot. While Hajime might have the best of intentions and is trying to proactively protect IoT devices from known malicious bots, it inadvertently will trigger the wrath of BrickerBot.
A glimpse into the future of IoT Botnets
On Oct 16th, Sam Edwards and Ioannis Profetis from Rapidity Networks published a report on a new malware they discovered and named “Hajime.” The report came in the aftermath of the release of the Mirai source code and Mirai’s attacks on Krebs and OVH. Before Hajime was able to make headlines, Mirai was attributed to the attacks that took down Dyn on Oct 21st and lead to a large array of Fortune 500 companies such as Amazon, Netflix, Twitter, CNN, and Spotify being unreachable most of that day. Hajime evaded the attention but kept growing steadily and breeding in silence.
In early April, we identified a new botnet designed to comprise IoT devices and corrupt their storage. Over a four-day period, our honeypots recorded 1,895 PDoS attempts performed from several locations around the world. Its sole purpose was to compromise IoT devices and corrupt their storage. Besides this intense, short-lived bot (BrickerBot.1), our honeypots recorded attempts from a second, very similar bot (BrickerBot.2) which started PDoS attempts on the same date – both bots were discovered less than one hour apart –with lower intensity but more thorough and its location(s) concealed by TOR egress nodes.