The IoT Mess: Or, What Does a Hacker Want With My Cable Box, Anyway?

One specific answer to that question is DDoS Amplification:  DDoS, as in Distributed Denial of Service attack; and Amplification, as in to make an electronic signal bigger in volume.  Yes, friends, a hacker can turn your cable box, or  just about any device that we would not, at first, think as being Internet connected, into just another tube in that great virtual Marshall 100-watt stack in cyberspace.

A simpler, and more general, answer is hackers want Command and Control (C&C) of your cable box for all the same reason hackers want C&C of your computer: to enlist the device as a node in the hackers' botnet.

A list of vulnerable Internet of Things (IoT) devices is truly staggering.  This list would include both consumer and entertainment devices, like cable boxes and "smart" televisions. Such a list would also include common commercial devices.  A recent study concluded that:

Out of over a half a billion IoT device transactions, 553 different devices from 212 manufacturers were identified, 65 percent of which fell into three categories: set-top boxes (29 percent), smart TVs (20 percent), and smartwatches (15 percent).

The home entertainment & automation category had the greatest variety of unique devices but they accounted for the least number of transactions when compared to manufacturing, enterprise, and healthcare devices.

Most traffic instead came from devices in manufacturing and retail industries – 59 percent of all transactions were from devices in this sector and included 3D printers, geolocation trackers, automotive multimedia systems, data collection terminals like barcode readers, and payment terminals.

Of particular concern are the vast numbers of IoT devices that are associated with health care are also vulnerable devices.  "Depending on who you ask, in the U.S. there are, on average, either a handful or between 10 to 15 connected devices per bed and keeping an eye on them is a difficult."

“Our data shows that hospitals on average have lost track of 30% of their networked medical devices, making it much harder to protect them against hackers. This is particularly concerning because some 61% of all medical devices on a hospital network are at cyber risk and can be compromised by malicious attackers seeking to steal data, harm patients or ransomware,” says Motti Sorani, CTO of medical cybersecurity provider CyberMDX.

“WannaCry, NotPetya, Orange Worm and botnets effectively attacked medical and IoT devices because they are easy targets. Just last month the newly deployed Silex malware started bricking IoT devices, wreaking havoc everywhere, including in the healthcare sector. And we hear of hospitals around the world getting hit by ransomware nearly every week,” he pointed out.

The takedown of the Emotet Malware early in 2021 gave security researchers a clearer insight into the extent to which IoT devices were under the C&C of the Emotet malware.  Although the takedown of Emotet "appeared to have a major impact as well, contributing to a large-scale reduction in botnet agents," security researchers have now turned their eyes on the Mozi malware. 

The latest large-scale malware of choice for recruiting botnets to use in DDoS attacks, Mozi has a particular appetite for IoT devices. The exploit leverages Common Vulnerabilities and Exposures (CVEs) to infect DVRs, network gateways and other connected devices then use peer-to-peer connectivity to send and receive configuration updates and attack commands.

Mozi also has a voracious appetite for networking devices.  Since 2019, Mozi has attacked and infected "network gateways manufactured by Netgear, Huawei, and ZTE."

Network gateways are a particularly juicy target for adversaries because they are ideal as initial access points to corporate networks," researchers at Microsoft Security Threat Intelligence Center and Section 52 at Azure Defender for IoT said in a technical write-up. "By infecting routers, they can perform man-in-the-middle (MITM) attacks—via HTTP hijacking and DNS spoofing—to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities. 

Mozi has a history of infecting routers and digital video recorders in order to assemble them into an IoT botnet, which could be abused for launching distributed denial-of-service (DDoS) attacks, data exfiltration, and payload execution. The botnet is evolved from the source code of several known malware families such as Gafgyt, Mirai, and IoT  Reaper. 

All of this cyber carnage is exasperated by the ability of the botnet to use its nodes to amplify its attacks.  This is especially in the case in DDoS attacks.  "A DDoS attack involves multiple connected online devices, collectively known as a botnet, which are used to overwhelm a target website with fake traffic."  If the attack is on an Internet connected server, this fake traffic overwhelms the atttacked server.  Thus, the attacked server is taken offline.  And your doctor can no longer remotely access your heart monitor.  Maybe the hospital cannot even read the malfunctioning monitor.  "Real-world repercussions are many: hospital shutdowns, compromised patient care, regulatory infractions, potential lawsuits and the loss of a hospitals’ good reputation."

So while a 100 watt amplifier might have 4 power tubes, a 50 watt amplifier from the same manufacturer might have only 2 power tubes.  Likewise, an infected cable box or network router is similar to another power tube in our mythical 100 watt model, giving it twice the power, or in the case of a global botnet to join with its fellow infected IoT devices to take down a global payroll services company 2 weeks before Christmas, and thus make a lot of children unhappy on Christmas morning.

As sad note concerning attacks on the healthcare industry also applies to most, if not all, Iot devices, "Unfortunately, there isn’t much patients can do when it comes to securing medical devices or their information."  Armed with enough practical knowledge, consumers can minimize their "attack surface."  A good place to begin would be to regularly change your password on any IoT devices.  For example, do you watch NetFlix on your "smart" or Internet connected TV?  Is that Netfix password the same as any other password you use, like your bank or email.  Well, then change one or the other password, if not both.  Do the same for a smart watch, or any other IoT device that you use to access anything network related.  Yeah, I know.  What a pain in the...

Gerald Reiff