Is Your TV Part of a Botnet?

The explosion of smart devices, including connected refrigerators, home automation systems, smart TVs, medical monitors, and other random household devices that have online access, has created a whole new layer of machines called the Internet of Things (IoT). These devices make life convenient, and they help manufacturers gather petabytes of useful data. They also create a Wild West free-for-all for cyberattackers.

Servers, computers, and mobile devices have a major enterprise presence. Because big companies and governments need these machines to stay safe, a lot of effort goes into network security business tools for these types of devices. Most smart devices, however, are geared toward the consumer market, which means that instead of worrying about security, manufacturers focus on user-friendliness. Smart devicesare left wide open for easy connection and usage, and there’s no major security infrastructure yet for patching and monitoring these systems against attackers.

One attack vector that security researchers have recently observed uses Simple Service Discovery Protocol, or SSDP, to carry out DDoS attacks. SSDP makes it easy for smart devices to connect to the Internet and to discover one another. It also makes it easy to make your TV part of a botnet.

How SSDP Enables DDoS Attacks

SSDP is part of the Universal Plug-and-Play (UPnP) protocol, which was created primarily for residential or small business uses. All kinds of devices connect via SSDP including computers, mobile devices, cable modems, Internet gateways, Wi-Fi access points, gaming consoles, and smart devices. Devices using SSDP discover one another in two different ways:

  • M-search.When a network control point needs to find devices on the network, it multicasts via reserved port and address using a search pattern equivalent to the type of device it wants to find.
  • Notify. When devices announce their presence on a network, they send out a Notify to make themselves discoverable by the control point.

Reflection and Amplification

The Simple Object Access Protocol (SOAP) is a protocol that delivers information and control messages to UPnP devices. Attackers can craft SOAP requests to carry out reflection and amplification DDoS attacks. These attacks work in the following ways:

  • Reflection. Reflection DDoS attacks take advantage of a weak authentication system. An attacker attempts to connect to one target device, and the device sends back a security challenge. The attacker then sends the security challenge to a second device, which responds with the right authentication response. This authentication response is send to the first device, which lets the attacker connect to the original device.
  • Amplification. An attacker sends a query to a target device. The server returns an answer that is larger than the original request.

For reflection and amplification to work together, the attacker needs to gain control of devices through reflection and then use amplification to increase traffic volume on a server. For example, if the attacker gains access to your smart TV using reflection, your TV could query a target server, such as a server at a bank. The bank’s server would send back a larger response to your TV, which would consume its resources.

Now, imagine hundreds of thousands of TVs and other smart devices, which the attacker controls thanks to reflection, bombarding the bank server with queries. The server could be disabled by the sheer volume of requests.

How to Protect Smart Devices

Enterprises have to use network security measures to stop DDoS attacks in progress. So far, there’s no antivirus software for smart devices, but consumers, manufacturers, and organizations can take some steps to protect the IoT and themselves from DDoS attacks:

  • Consumers. Consumers can disable UPnP on their routers and also on any public-facing smart devices.
  • Manufacturers. Manufacturers should make firmware updates that properly configure the SSDP/UPnP client along with routing/firewall rules. Also, firmware updates should the UPnP to the LAN.
  • Organizations. Experts say that most attack traffic from smart devices comes through Port 1900. They recommend blocking all Port 1900 UDP traffic as long as the network can accommodate the added bandwidth.

As they invent and deploy new IoT devices, manufacturers must make security just as important as functionality. When millions of consumers purchase a single kind of smart TV, and that TV is left open to compromise, the fallout hurts not only consumers but also unleashes DDoS attacks against all kinds of enterprises.