Internet of things security points

IOT security incidents have been happening one after another. The reason is that hackers still take advantage of those classic vulnerabilities in the era of web development. However, the Internet of things has four characteristics: 24-hour networking, fragile security protection, low attack cost of Botnet (corresponding to the Chinese term “botnet”) and difficult to clarify the attribution of security responsibility, which has become a good target loved by hackers. Next, let’s review several major cases.

1 Internet of things security incidents

1.1 Mirai botnet

Mirai was created by three young Americans, Paras JHA, Josiah white and Dalton Norman (only 20 to 21 years old at that time), which is a kind of malware for smart devices and network devices running Linux operating system. The initial design goal was to turn Internet of things devices, such as routers, digital video recorders and IP cameras, into “zombies” and a group of digital robots that can attack other websites or network infrastructure.

Mirai swept the world

Since JHA released Mirai’s source code on the hacker forum in September 2016, since then, other criminals have been used to creating a large number of botnets starting from this code, most of which are of the same complexity. They just occasionally add new and more complex attack tools and capture more kinds of Internet of things products. For example, the new Mirai version found in January 2019 can also scan and utilize LG smart TV and wepresent wireless demonstration system in the enterprise environment.

Mirai’s birth indicates a new turning point in DDoS attacks: IOT botnets have become the main force of such attacks. According to the measurement of security personnel, Mirai controlled more than 600000 vulnerable IOT devices during the peak period in November 2016.

Therefore, some security people suggest that Internet of things manufacturers should change the practice of everything going well after producing products, but change the business model, adopt the subscription model, continuously provide services and shoulder the responsibility of product safety protection. Practitioners should also avoid purchasing IOT products produced in large quantities without subsequent maintenance, so as to prevent them from becoming a good target for botnet.

On September 20, 2016, Mirai’s attack against French OVH company, one of the largest hosting service providers in Europe, broke the DDoS attack record, with the attack volume reaching 1.1tpbs and the maximum reaching 1.5tpbs, which was jointly initiated by 145000 IOT devices. The founder of OVH said that these attacks targeted minecraft (sandbox construction game called “my world” in Chinese) server.

On October 21, 2016, botnet attacked an American network infrastructure company called dyn, which paralyzed the websites of many mainstream Internet companies in the United States, including GitHub, twitter, Netflix, reddit and paypal. In the history of light black technology, poetic language is used to describe the American network disconnection event:

It was a long day, and the tide of attack hit three times, each lasting about an hour. Internet services are intermittent, and the east coast of the United States has fallen into the biggest “Internet terrorist attack” after 9 / 11. This is obviously a disaster, because the whole United States is as helpless as a baby in the face of such an attack.

Until all the dust settled, people didn’t know that this barbaric attack came from webcams and routers all over the world. Yes, you’re right. Those little things that look “harmless to humans and animals” sitting on the table in your living room. They had been lying quietly in their master’s house, connected to the outside world only through an Internet cable. However, it is this small network cable that has become the “thread” for hackers to control puppets.

A mysterious virus penetrated the door of countless families through the network cable and invaded hundreds of cameras. In the eyes of the owner, these hardware are no different. However, their indicator lights seem to turn into red eyes. Like infected zombies, they turn their guns in the cyber world and spit out new viruses frantically to the Internet.

In this way, hundreds of thousands of hardware devices on earth form a huge “botnet”. This botnet is like a group of cannibal ants. Their garbage visits are neat and uniform, running around the online world. Wherever they go, the network will be paralyzed and there will be no grass.

In history, light black technology “Waterloo of hackers — a full record of the great disconnection of the United States”

The replication module may infect many vulnerable IOT devices

Mirai Botnet

According to OVH and dyn, the peak traffic of these attacks exceeds 1tbps, which is the largest attack traffic among known attacks. The most striking is that these flows are initiated by small IOT devices such as home routers, air quality detectors and personal surveillance cameras.

The FBI and global security researchers haven’t found the culprit yet, but the plot continues. Just a month later, a new panic has struck – variants of the virus are blooming everywhere. On November 28, 2016, Telekom router of Deutsche Telekom was invaded on a large scale, and 20 million routers in Germany were invaded. In the process of invasion, 900000 routers directly collapsed in the process of infection. The attack affected almost all Germans and caused great panic. At the same time, countless new variants of Mirai have emerged all over the world, spreading like zombies. It was not until May 2017 that the FBI found and accused the three young men.

Germany has a total population of 80 million and 40 million families. In that attack, 20 million home routers owned by Telekom were attacked by hackers, many of which were controlled by hackers, 900000 servers were shut down directly, and the light of the Internet was like a lamp shattered by a grenade, which went out in the windows of these families.

In the dark, Germany sank into the Atlantic Ocean.

The massacre lasted three days. The situation is as tragic as Nazi Germany’s flash attack on Poland in 1939, but this time history has mischievously changed the protagonist.

During the three days of “fierce router battle”, the two sides played in the dark. It was a dream for users to surf the Internet normally. Deutsche Telekom had to announce that families who could not access the broadband network for some reason could get a free coupon for 4G network card and temporarily use the mobile network to “renew their lives”.

In history, light black technology “Waterloo of hackers – a full record of the fall of Germany”

How Mirai works

From the perspective of core functions, Mirai is a self propagating worm, that is, it is a malicious program that realizes self replication by discovering, attacking and infecting vulnerable IOT devices. Mirai is also a botnet because it controls infected devices through a set of central command control (C & C) servers. These servers will tell the infected device which sites to attack next. Overall, Mirai consists of two core components: replication module and attack module.

Mirai’s replication module

Schematic diagram of Mirai replication module

The replication module is responsible for expanding the scale of the botnet and infecting as many vulnerable IOT devices as possible. The module scans the whole Internet (randomly) to find available targets and launch attacks. Once a vulnerable device is fixed, the module will report the device to the C & C server in order to infect the device with the latest Mirai version, as shown in the figure above.

In order to infect the target device, the original version of Mirai used a fixed set of default login and password combination credentials, including 64 credential combinations, which are commonly used by IOT devices. Although this attack method is relatively low-level, it has proved to be very efficient. Mirai has handled more than 600000 devices through this method.

Mirai can infect 600000 IOT devices with only 64 well-known default logins and passwords.

Attack module

The C & C server is responsible for specifying attack targets, and the attack module is responsible for initiating DDoS attacks against these targets, as shown in the figure below. This module implements most DDoS technologies, such as UDP flood attack, HTTP flood attack, and all TCP flood attack technologies. Mirai has a variety of attack methods, which enable it to launch volume exhaustion attack, application layer attack and TCP state exhaustion attack.

Schematic diagram of Mirai attack module

By analyzing Mirai source code, the following technical features are found:

1) The infection is implemented by the central server C & C (this service is called load), rather than the zombie itself.

2) Josiah white wrote a sophisticated scanner that uses advanced syn scanning, which can send thousands of syn packets at a time, and the scanning speed is increased hundreds of times, greatly improving the infection speed.

3) Forcibly eliminate other mainstream IOT zombie programs, kill competitors and monopolize resources. For example, clear qbot, zollard, remaiten BOT, anime BOT and other zombies.

4) Once entering through the telnet service, the telnet service and other entrances (such as port 22 of SSH and port 80 of Web) will be forcibly closed, and the service port will be occupied to prevent the revival of these services.

5) Filter out the IP addresses of large companies and organizations such as GE, HP, the national post office and the Department of defense to avoid trouble.

6) The unique GRE protocol flood attack increases the attack strength.

7) Since Mirai cannot write itself to the IOT device firmware, it can only exist in memory. So once the device restarts, Mirai’s BOT program will disappear. In order to prevent the device from restarting, Mirai sends the control code 0x80045704 to the watchdog to disable the watchdog function. This is because in embedded devices, the firmware will implement a function called watchdog. A process will continuously send a byte of data to the watchdog process. This process is called feeding the dog. If the dog feeding process ends, the device will restart, so Mirai turned off the watchdog function to prevent the device from restarting. This technology is often widely used in embedded device attacks. For example, this anti restart technology has been used in the attack code of Hikvision vulnerability (cve-2014-4880).


The infected objects of Mirai botnet have expanded from webcam, router and home security system to smart TV, smart wearable devices and even baby monitors. Any IOT device with internet connection may become a potential target, and it is difficult for ordinary users to notice that the device has been infected. Since all passwords are solidified in the IOT device firmware, even if Mirai disappears from the memory after restart, the secondary infection cannot be eliminated. It is recommended that developers detect their devices through the port scanning tool and whether SSH, telnet and HTTP / HTTPS services are enabled. If conditions permit, please disable SSH and telnet services.

1.2 Hikvision equipment safety incidents

At noon on February 27, 2015, the Jiangsu Provincial Public Security Department issued an urgent notice on the immediate comprehensive inventory and security reinforcement of the province’s Hikvision monitoring equipment, which said that there were serious potential safety hazards in the monitoring equipment of Hangzhou Hikvision Digital Technology Co., Ltd. used by public security organs at all levels in Jiangsu Province, Some equipment has been controlled by overseas IP addresses, so all localities are required to organize forces to conduct a comprehensive inventory of the used Hikvision equipment, and carry out security reinforcement to eliminate security vulnerabilities.

Subsequently, Hikvision officially released Hikvision’s instructions on “equipment security”, saying that through network traffic monitoring, Jiangsu Internet Emergency Center found that some Hikvision devices on the Internet were attacked by hackers due to weak passwords (weak passwords include using the initial product password or other simple passwords, such as 123456, 888888, admin, etc.), Special emergency technical teams will be organized to help local cities to modify product passwords and upgrade firmware.

On March 2, Hikvision held a teleconference on information disclosure for investors. Its general manager said: “we don’t know about other manufacturers. Hikvision took the initiative to disclose two defects: the first is the weak key problem, which can be solved by changing the password; the second is that on December 5, we disclosed the possible security hidden danger RTSP (real-time streaming protocol) At present, the security vulnerabilities and hidden dangers of the company’s products can be solved by changing the password and upgrading the system. “This time, the science and Technology Information Department of Jiangsu Public Security Bureau issued a document because a small number of monitoring devices are not ordinary household, but monitoring devices used by the public security system, and they are also controlled by overseas IP addresses. After investigation, Hikvision found that the monitoring equipment from the public security system is likely to be exposed to hacker attacks because it uses Internet broadband services for urban public security monitoring.

1.3 ripple20 event

On June 16, 2020 (last month!), jsof, an Israeli network security company, announced that researchers found 19 0day vulnerabilities in the TCP / IP software library developed by treck, Inc., which are collectively referred to as “ripple20”. Hundreds of millions (or more) of IOT devices around the world may be subject to remote attacks.

The researchers said that they named the 19 vulnerabilities “ripple20” not because they found 20 vulnerabilities, but because these vulnerabilities will trigger a security storm in the IOT market in 2020 and beyond. Worse, the researchers pointed out that the 19 “ripple20” zero day vulnerabilities found so far may be just the tip of the iceberg, and the attacker’s malicious code may lurk in embedded devices for many years.

Jsof safety notice to ripple20

Vulnerability details

The flaw lies in a software library designed in the 1990s – the TCP / IP software library widely used by Internet of things developers and developed by treck, a Cincinnati based software company in 1997, which implements a lightweight TCP / IP stack. In the past 20 years, the software library has been widely used and integrated into countless enterprise and individual consumer devices.

Researchers at jsof research laboratory said that the affected hardware is almost everywhere, including massive equipment from networked printers to medical infusion pumps and industrial control equipment.

These 19 vulnerabilities are all memory corruption problems due to processing errors of packets sent on the network using different protocols (including IPv4, icmpv4, IPv6, ipv6overipv4, TCP, UDP, ARP, DHCP, DNS or Ethernet link layer).

potential risk

Ripple20 poses a significant risk when the equipment is still in use. Potential risk scenarios include:

If facing the Internet, an attacker from outside the network will control the devices in the network; Attackers who have managed to penetrate the network can use library vulnerabilities to target specific devices in the network; Attackers can broadcast attacks that can take over all affected devices in the network at the same time; The attacker may use the affected device to hide in the Intranet; Complex attackers may attack devices within the network from outside the network boundary, bypassing any NAT configuration. This can be accomplished by performing mitm attacks or DNS cache poisoning; In some cases, attackers may be able to bypass NAT and execute attacks from outside the network by responding to packets leaving the network boundary; In all cases, an attacker can remotely control the target device without user intervention.

Treck has released a patch on June 22, 2020 for OEM to use the latest version of treck stack (version or higher). The main challenge now is how to make so many enterprises around the world fix vulnerabilities as soon as possible, especially many IOT devices can not install patches. For this major risk, IOT device developers should act quickly.

Android devices don’t worry. Mainly RTOS. Embedded products are the hardest hit areas.

1.4 other intelligent device vulnerability events

Children’s smart Watch

Due to the classic vulnerabilities in the web API when the terminal communicates with the cloud, the security company exposed that many children’s smart watch suppliers worldwide generally have security protection problems, including suppliers in China, Germany and Norway. It is estimated that at least 47 million or more terminal devices may be affected by this.

The security company found that when the products of one manufacturer (including OEM products) communicate with the cloud platform, all communication requests are unencrypted plaintext jsonajax (a lightweight data exchange format) requests, the transmission information is attached with the specified ID number and default password 123456, and the legitimacy of the call is not dynamically verified, It provides an opportunity for hackers to control children’s smart watches.

In May 2018, Shenzhen Consumer Council took the lead in preparing and Issuing the technical document on standardization of children’s smart watches in Shenzhen, trying to solve the chaos of industry without standards, supervision and rampant fake brands at the level of industrial chain. The document generally mentioned the information security requirements at the levels of terminal, client, security management platform and data transmission.

Electric scooter

Xiaomi m365 electric scooter can interact with mobile app through Bluetooth. Bluetooth communication uses password encryption to ensure the security of remote interaction. However, the security personnel found that the password was not used correctly in the process of interactive authentication. Rani Idan, a researcher at zimperium zlabs, said in the report, “we determined that the password is not correctly used as part of the authentication process of the scooter, and all commands can be executed without a password. The password is only verified on the application side, but the car itself does not verify the identity.” therefore, the security personnel developed a special authentication application, You can scan nearby Xiaomi m365 scooters and lock them with the anti-theft function of the scooter without password authentication.

2 Internet of things vulnerabilities

As mentioned earlier, why are IOT devices so vulnerable? Four points are roughly summarized:

1) The device itself does not integrate security mechanisms. Unlike mobile phones, laptops and desktops, IOT’s operating system basically has no protection capability. The reason is that the cost of equipment integration security mechanism is too high, which will slow down the development process, and sometimes even affect the equipment performance, such as operation speed and capacity.

2) The device is directly exposed to the Internet public network. At the same time, it can also be used as a transit point of the intranet to open the back door to outlaws.

3) The device contains non essential functions left in the process of hardware and software development based on general and Linux driver. The public class library referenced by the device application may be old and full of vulnerabilities. The vulnerable software library is not only directly used by device suppliers, but also integrated into a large number of other software suites, which means that many companies do not even know that they are using vulnerable code.

4) The default identity is hard coded. This means that the device can be inserted and run without creating a unique user name and password. Even confidential information such as root certificates and keys are burned into the firmware in the form of text files.

3 our precautions

The measures are mainly divided into three categories: management, hardware and software.

Management precautions:

From project initiation, distribution, binding and activation to formal use and later recovery and scrapping, it is based on a complete middle platform system to facilitate tracking the whole chain of equipment circulation and ensure the safety of equipment circulation. By monitoring the coordinate position of equipment and regularly and automatically checking the equipment deviating from the campus, it is ensured that the equipment is applied in the closed environment of the campus. Monitor the traffic, network request, application installation, etc. on the equipment according to the dimension of the catering center, so as to check the malicious use behavior and abnormal traffic. Monitor and report the operation, flow, abnormal information and software and hardware usage of the equipment, and analyze and measure the health of the equipment in real time.

Hardware and storage:

It adopts security level processor with encryption engine, secureboot and TrustZone. The industry-leading 3D structured light camera can achieve financial security and ensure payment security. Interface security: ① the debugging serial port is hidden and not exposed, and is disabled by default; ② I2C / SPI / Mipi and other bus interfaces are hidden in the inner layer of PCB; ③ The JTAG / SWD interface is hidden and not exposed, and is disabled by default; ④ USB / UART or other programming interfaces are turned off. The equipment has a unique identification number (equipment Sn number) to facilitate personalized security control.

System and interface:

Customize the security system based on Android system, and use the customized signature file as the system signature. The system disables root permission and turns off developer mode. The ADB service interface, USB debugging interface, WiFi and other interfaces are closed. Turn on Se security mode and try to run tee security zone to prevent the device from falling into remote code execution, remote information disclosure, Remote Denial of service and other dangers if SELinux is not enabled. SELinux is an acronym for security enhanced Linux. Tee is the abbreviation of trusted execution environment. Enable secure boot and verify uboot, boot and system partitions. Prevent hackers from brushing into the maliciously tampered firmware or partition image, implanting the Trojan horse and being remotely controlled. The firmware supports remote OTA, and OTA has a security verification mechanism of encryption and signing to ensure the security of the upgrade process. The system has a built-in customized secure desktop to shield the installation of third-party malicious applications and eliminate software risks. The “equipment authorization code” is required to modify the system configuration, including network configuration.


Independent authorization and signature can effectively prevent the risks caused by illegal third-party application installation. Apply key information so library to prevent the risk of key information disclosure caused by decompilation. Application directory permissions strictly comply with Android system specifications. Application communication is based on HTTPS (in HTTP communication mode) and mqtt + TLS 1.3 (in Internet of things communication mode).

4 Summary of this chapter

This chapter mainly introduces several major cases of IOT equipment that harm all over the world recently, from which we can find the weak security of IOT equipment, so as to make preventive measures and standardize processes at the three levels of equipment management, hardware and storage, system and software.

        Editor in charge: PJ

Leave a Reply

Your email address will not be published. Required fields are marked *