Last October, a distributed denial-of-service (DDoS) attack by the name of Mirai brought popular websites such as Netflix, Spotify, Twitter, SoundCloud, and more to their knees. Now, nearly a year later, Mirai is a distant memory, but we may not have seen the worst of Internet of Things (IoT) DDoS attacks. Security researchers at cyber threat intelligence company Check Point have been warning the public of a looming IoT botnet storm cloud ready to strike. The research group recently revealed that “a brand new Botnet, dubbed ‘IoTroop,’ [is] evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016.”
A botnet is a collection of compromised internet-connected devices that perform DDoS attacks. In a DDoS attack, adversaries seek to disrupt or temporarily shut down services, making it difficult for privileged users to access and regain control of systems or networks. Temporary outages not only are inconvenient for users but can also serve as penetration points into the target.
Recruiting an army of devices is no quick and easy feat. Adversaries must infect a massive number of devices with malware, enabling the bot herder to control the victims and dictate actions to launch an attack. In this case, IoTroop is infiltrating IoT devices using a combination of known vulnerabilities. Check Point Research estimates that over a million organizations have been infected, and the compromised devices themselves are helping spread the malware faster and faster. If you own any IoT devices, it’s difficult to detect whether you’ve been affected. Until the commander sends the botnet an order, the malware lies dormant and is harmless.
When adversaries seek a victim for a DDoS attack, they generally look for two criteria to maximize damage: one quantitative and one qualitative. First, the system has widespread reach, allowing attackers to affect millions of users at once. This enables them to scale, fulfilling the quantitative part of the attack equation. Next, the target system or service is heavily relied on by users; the greater users’ dependency on the target, the greater the potential damage. Examples include systems that provide basic human necessities, such as water, electricity, and arguably the internet. This heavy user dependency enables attackers to cause catastrophic damage, fulfilling the qualitative part of the attack equation.
Though the attacker’s target is still unknown, the amassing botnet harvest is raising concerns about the potential destruction the attack could cause. Check Point echoes this sentiment: “It is too early to guess the intentions of the threat actors behind [IoTroop], but…it is vital [that] proper preparations and defense mechanisms are put in place before an attack strikes.”
John Nye, vice president of cybersecurity strategy at healthcare IT consulting firm CynergisTek, levels expectations with the public, explaining that proactively preparing for IoTroop is tough but necessary: “We must…build security into our technology, our people, and our processes.” The Defensics fuzz testing team agrees. Sure, it’s tough. However, with a systematic approach, it’s possible, essential, and practical to build security into your software and protect it from DDoS attacks.
Fuzz testing is an excellent security testing technique for increasing the robustness of software, ensuring it is defensively programmed to mitigate denial-of-service attacks. By bombarding software with malformed inputs until it crashes, fuzzing uncovers vulnerabilities and weaknesses. It’s an industry-recognized technique for ensuring the security, reliability, and robustness of embedded devices, especially in the Industrial Control Systems (ICS) space. In fact, Defensics fuzz testing is an ISASecure-certified communication/system robustness testing tool.
Not only is fuzzing well-known in ICS, but we argue that it’s becoming increasingly relevant and necessary in IoT. In Underwritings Laboratory’s (UL) overview of their UL 2900-2-3 standards, they shared the following sobering statistics:
Forrester’s TechRadar™: Application Security, Q3 2017 report anticipates changes in the application security testing (AST) market that address the alarming statistics above. The author, Amy DeMartine, observes:
Fuzz testing tools…analyze output to determine whether an application demonstrates security, reliability, and robustness. However, unlike DAST tools, fuzz testing tools doesn’t employ crawlers; instead, they use data generators to create combinations of known dangerous values and random data. Although traditionally used for network protocol testing, fuzz testing is gaining traction for testing IoT applications, which can be difficult or even impossible to crawl.
Fuzz testing has a number of prominent champions, including Linus Torvalds from the Linux Foundation. In a recent release notification, he revealed that fuzzing has helped produce a steady stream of security fixes for Linux kernel version 4.14. Torvalds’ endorsement of fuzzing is especially relevant for IoT: Linux is one of the most popular operating systems used in embedded and IoT devices. And Defensics is no stranger to Linux. Earlier this year, Defensics uncovered three critical unknown vulnerabilities in the Linux kernel.
So if you’re concerned about DDoS attacks—whether you’re a potential target or you have IoT devices that could be compromised and recruited as bots—fuzzing can help you proactively improve the security and robustness of your software. It’s the perfect way to ensure that your business-critical software, including firmware, is resilient enough to withstand attacks and that your closed, hard-to-test IoT devices’ attack surfaces are hardened.