Over the last few weeks, a number of smart homes have suffered cyberattacks that caused some devices to malfunction. In one home in particular, the DDoS attacks caused the heating to go off for a couple of days, leaving the homeowner cold and confused. The devices in question are hardware automation designed by Austrian firm Loxone, which has recently been targeted by cybercriminals - more than likely discovering vulnerabilities by scanning ports at random. On 5 November 2016, the firm issued a blog explaining what Loxone users should do to protect themselves. From the blog:
"In recent weeks large scale DDoS attacks have been carried out against numerous Internet services, resulting in them being temporarily and repeatedly unavailable. Some of the services affected included Spotify, Twitter, Paypal and more. Our support has been contacted with inquiries from some customers whose Miniservers use the standard Internet port 80 and were subject to similar DDoS attempts."
Loxone’s products are designed to make life easier. They electronically control things like a home’s lighting and heating. They will work even if they aren’t connected to the internet. For added functionality, however, the hardware automation devices can be connected to the web to be controlled remotely.
Unlike many IoT devices, Loxone’s products do not connect to a central company server. Instead, each home is its own miniserver. As such, the cyberattacks that Loxone users have been suffering from have been direct attacks on their home’s devices.
We spoke to Loxone’s Managing Director, Philipp Schuster. He told us the firm takes many precautions to try to stop these types of attacks. This includes ‘whitehat’ hacking their own customers. This is to ensure that they have updated the default passwords that Loxone devices ship with.
Mr Schuster told me that the firm automatically probes their users’ devices using the default password. If the firm is able to gain access, they contact the user and ask them to update their password for security reasons. They remove any devices they find running on default port setups, with default passwords, from their DNS servers. This attempts to minimize the risk to users.
It's Not Working
Sadly, according to Mr Schuster this approach doesn’t always work. People simply don’t read the emails (probably assuming that they are just follow-up marketing emails).
According to the firm, Loxone users have been suffering from cyberattacks because of those default passwords. That is why some of their homes' devices may have malfunctioned. Mr. Schuster pointed out that pulling the ethernet cable would have been an option for regaining control of devices during the DDoS attacks, as Loxone devices work offline.
Mr Schuster also told us that they set up a honeypot on their server in order to lure the hacker in. Thus Loxone found that the hacker appears to be attempting to find IoT products to add to its botnet,
'By using honeypots, systems that are publically available and closely monitored, we have detected that attacks target common ports and services, such as http, ssh, telnet, etc. with login attempts using typical username and password combinations. This is the behaviour that can be associated with Miria botnets that are looking to grow themselves by taking over more devices.'
Mirai Likely to Blame - Again!
The recent rise in DDoS attacks has been attributed to the online dump of the Mirai malware. It is quite probable that this was another case of Mirai. The malware in question probes ports with a default password in order to add it to an army of Mirai-botnet controlled IoT devices.
Loxone explains on its website that user miniservers are protected using a firewall:
"If a DDoS attack is carried out against a Miniserver and its network interface is overloaded by requests, the Miniserver will detect this and automatically reboot. That way, the system is up and running again after a few seconds."
During a large scale DDoS attack, however, the miniserver may reboot again and again. This can lead to a malfunction whereby the device doesn’t work. This is likely what happened to our source when they lost the use of their heating for two hours last Friday.
What Should You Do?
Loxone has a blog on how to protect against the recent spurt of DDoS attacks. In it, the firm explains that people would be wise to update the default password on their devices. It also recommends updating the default ports that those devices use. That is because the cyber attacker appears to be automatically and systematically probing ports 80, 443 and 8080:
"DDoS attacks usually affect devices that use standard ports, such as 80, 443 and 8080. As part of our documentation and training, we always recommend using a non-standard port, for instance 7777 or even better one greater than 50000. Changing the http port makes is less likely for botnets to find your Miniserver and thus prevents random DDoS attacks / reboots.
"We strongly recommend that all Loxone users and partners change the Internet port of the Miniserver, even if the Miniserver is not affected by reboots. These attacks are becoming more common and everyone ought to protect themselves."
Mr. Schuster also added the following statement,
"Attacks that are aimed at growing botnets tend to follow the path of least resistance and hence can be easily turned away. The first step anyone should take to protect themselves from all kinds of attacks is to ensure that a secure password is used. This might sound obvious, but unfortunately is still the most commonly exploited culprit by hackers. Secondly, it is advisable that any services that are publically accessible are using none standard ports. Doing so makes it a lot more laborious to find a point of attack in the first instance"
With connected devices, people need to accept a certain amount of personal responsibility. This is especially true with the Mirai malware causing a massive rise in this type of attack. Updating default passwords and accepting vital software updates from manufacturers are essential for staying safe.
A recent study by home WiFi company Luma found that two out of three households have a network security threat. The study, called ‘State of IoT Security in the Connected Home,’ explains that one in six IoT devices has a security issue:
[caption id="attachment_83373" align="aligncenter" width="547"] Graphic from Luma's 'State of IoT Security in the Connected Home'[/caption]
This may seem low at first glance. However, when you consider that Gartner last year predicted that there would be 6.4 billion connected devices in use by 2016, you suddenly realize that there are well over a billion IoT devices on the market that have serious security flaws.
With this in mind, people really need to start cooperating with firms like Loxone in order to protect themselves, and their homes, from the ever-rising threat of botnet attacks.