Annual IoT Security Report 2019-2

Annual IoT Security Report 2019-2

November 9, 2020 | Mina Hao

Extensive Power Outages in Venezuela and New York

Starting from the evening of March 7, 2019, a cyberattack hit Venezuela, leaving most parts of the country, including the capital Caracas, without power for more than 24 hours1. Because of the outage, the subway service in Caracas came to a halt, resulting in massive traffic jams. Schools, hospitals, factories, and airports were all greatly affected by this incident. Even mobile phones and networks could not work properly.

Just four months after the power outage in Venezuela, on July 13, 2019, 18:47, a large-scale blackout affected Midtown to the Upper West Side in Manhattan, leaving the Times Square, subway stations, cinemas, and Broadway in the dark2. At its peak, the New York blackout shut off power to about 73,000 people. At a press conference, New York City Mayor Bill de Blasio claimed that the blackout was caused by a transformer fire. Though not a malicious cyberattack, this incident sounds the alarm on the security
of critical infrastructure.

In the wake of attacks on Ukraine power plants, extensive power outages occurred again in Venezuela and New York. Electric power systems, as a country’s critical infrastructure, matter a lot to not only people’s wellbeing but also national security. These incidents targeting the power industry open our eyes to the major security hazards of traditional industrial control systems (ICSs) connected to the Internet. On the other hand, this tells us that critical infrastructure and information systems built on the IoT and the industrial Internet have become another important battlefield between antagonizing countries besides the sea, land, air, and space. To safeguard national security, we must lose no time in upgrading defense and emergency response capabilities.

D-Link Routers Affected by a Remote Code Execution Vulnerability Not to Be Fixed

In September 2019, cybersecurity company Fortinet’s FortiGuard Labs discovered an unauthenticated remote code execution (RCE) vulnerability in a wide range of D-Link products, including but not limited to DIR-655C, DIR-866L, DIR-652, and DHP-15653. FortiGuard Labs reported the vulnerability to D-Link on September 22, 2019. D-Link confirmed the vulnerability on the next day, but then stated that these products had reached the end of life (EOL) and so they would not release any patches for them on September 25, 2019. Finally, on October 3, 2019, the vendor made this vulnerability known to the public and released a security bulletin. Subsequently, on November 19, 2019, D-Link released a public relation (PR) statement , expressly indicating that DIR-866, DIR-655, DHP-1565, DIR-652, DAP-1533, DGL-5500, DIR-130, DIR-330, DIR-615, DIR-825, DIR-835, DIR-855L, and DIR-862 were all potentially affected by this vulnerability. However, as these products had reached the EOL, D-Link would no longer provide support or development for them.

IoT devices usually have a long lifecycle. This explains why there are so many EOL devices on the Internet for which vendors have stopped providing any software updates. Without software updates, vulnerabilities will not be fixed. Once exposed, such vulnerable devices have a good chance of being turned into a bot to participate in DDoS and other attacks. IoT botnets have emerged wave after wave and IoT incidents have occurred from time to time has everything to do with large quantities of legacy IoT devices. This has posed a severe challenge to IoT security.

IoT Botnets Responsible Again for Massive DDoS Attacks

On July 24, 2019, the cybersecurity company Imperva reported that one of its CDN customers in the entertainment industry was hit by a massive DDoS attack from April to May 20195. Targeting the authentication component of websites, this DDoS attack was led by a botnet that coordinated 402,000 different IP addresses, lasting 13 days and directing a peak flow of 292,000 RPS1 , or 500 million packets per second. This was the largest application-layer DDoS attack that Imperva had observed. According to Imperva’s analysis, attack sources were associated with IoT devices.

Since the source code of Mirai was disclosed in 2016, a lot of Mirai variants have been written to add various new exploits of CVE vulnerabilities into the arsenal for faster propagation. Meanwhile, many IoT botnets have come into being. We believe this is linked with the following facts:

  • IoT devices are large in number and widely distributed, making themselves potential ideal bots for DDoS attacks.
  • IoT devices usually have a long lifecycle and do not require a lot of human-machine interactions and, once compromised, will become a stubborn bot in a long time because of being difficult to detect and remove.
  • Unlike desktop computers or servers, IoT devices usually run without any protection such as antivirus software and so are easy to compromise.

These reasons contribute to IoT devices’ gradually becoming a dominant force in DDoS attacks. To defeat IoT botnet families like Mirai, security vendors, device vendors, telecom carriers, and users should join hands to march towards the same direction.

Leaked Code Exposing Multiple Vulnerabilities in Boeing 787

At Black Hat USA 20196, a researcher from IOActive revealed multiple vulnerabilities in Boeing 787’s certain components and claimed that these vulnerabilities could be exploited to issue malicious instructions to other critical security systems of the aircraft, thus causing damage to the aircraft. The leaked code of Boeing 787, which was found by a security researcher in 2018, stemmed from an unhardened server on a Boeing network.

As early as 2015, a security researcher, while on board a United Airlines flight, attempted to penetrate the in-flight system bus7. The researcher used a custom adapter to connect to the in-flight entertainment system, thereby intruding the flight management system. Although the subsequent investigation found that the researcher could not manage to hijack or tamper with the flight management system, the incident evidences that it is possible to compromise the system of a flight.

Quite a large proportion of IoT system and application developers lack the experience of secure coding and a lot of IoT products do not go through code audits or security testing. These also explain why IoT security issues keep emerging and IoT devices are insufficiently protected.

Embedded devices are different from PCs and smartphones in the system architecture. They are more vulnerable because of insufficient protections and vulnerability mitigations. A minor vulnerability may cripple the entire system. Like other IoT devices, in-flight information and automation systems are possible to be hacked. Once an airplane is controlled by a hacker, a disastrous consequence may ensue. Therefore, much caution must be exercised when it comes to these systems.

This incident enlightens us that, during development, developers should keep a good programming habit and have secure coding in mind. At the compilation stage, necessary protections must be adopted to minimize the risk of vulnerabilities. From the perspective of maintenance, deploying protections on different nodes of a system to achieve defense in depth can effectively reduce losses incurred by compromise of a single node.

To be continued.