Internet of Things technology is now more widespread than many people realize. Systems that fall under the IoT umbrella are popping up in an array of settings, even outside consumer circles. Today, every group from enterprise businesses to city governments is utilizing intelligent, internet- and Bluetooth-enabled devices to make a variety of critical capabilities possible.

Given this environment, the bullish predictions seen from certain industry authorities don’t seem that far fetched. According to The Motley Fool contributor Leo Sun, Cisco estimated that by 2020, a total of 50 billion devices would contribute to the IoT. Intel, on the other hand, took things a step further, predicting a 2020 IoT that will be 200 billion devices strong.

Now that these systems increasingly make up critical infrastructure in cities and businesses across the globe, the IoT is even more attractive to hackers. Smart systems are under attack, and the organizations that run and support this technology must take the proper steps for protection.

Shining a light on Shodan

Trend Micro researchers Numaan Huq, Stephen Hilt and Natasha Hellberg recently took an in-depth look at Shodan, a search engine that lists internet-connected devices, such as those included in the IoT. According to their findings, a large number of Shodan-featured devices are exposed thanks to poor configuration and other security concerns. In fact, researchers were able to pinpoint the cities in which the most exposed devices were situated. Here’s a summary of what was discovered, and how the nation’s biggest cities rank:

  • Houston has the most exposed webcams, with Chicago trailing by more than 1,500 devices.
  • Los Angeles took the top spot for exposed web servers, with Houston coming in second.
  • Surprisingly, smaller towns, including Lafayette, Louisiana and St. Paul, Minnesota were found to have the most exposed government cyber assets, beating out larger municipalities like Denver and the U.S. capitol.

But this was only the beginning. Trend Micro’s paper, “US Cities Exposed: Industries and ICS,” showed that devices in the emergency services, utilities and education sector were open to attack as well. Overall, Houston and Lafayette had the most exposed emergency services devices. What’s more, while there are a considerable number of exposed devices in the education industry across the board, Philadelphia had the most, with 65,000 endpoints exposed and vulnerable.

Cities now leverage more smart systems - but are exposed devices putting officials and residents at risk?Cities now leverage more smart systems – but are exposed devices putting officials and residents at risk?

IoT and critical infrastructure overlap: The power of hacking

When critical infrastructure systems, like those used in emergency situations, are combined with technology, cities can reap a multitude of benefits. Connected systems are easier to use, and streamlined utilization can make a big difference when time is of the essence. When these systems aren’t protected correctly, though, they could fall into the wrong hands and be used in a way that wasn’t initially intended.

Hackers recently flexed their muscles in Dallas during the spring, showcasing what happens when IoT and critical infrastructure overlap with cybercriminal activity. The Guardian reported that late on a Friday night, Dallas residents were awoken by sirens sounding throughout the city. However, there was no situation that called for the use of emergency tones.

Attackers had hacked and taken control of the system, launching sirens at 11:42 pm. The system went through 15, 90-second cycles, and officials finally deactivated it at 1:17 am.

“We shut it down as quickly as we could, taking into consideration all of the precautions and protocols we had to take to make sure that we were not compromising our 156-siren system,” Rocky Vaz, Dallas’ head of emergency management, said.

Officials did not elaborate on the process attackers used to hack the system, but believed the incident originated with cybercriminals within the city. While no one was hurt during the incident, the case does show the ways in which a critical technological system can be put at risk. Not only did residents have to deal with a panic-inducing emergency tone for an extended period of time, but city resources were also tied up trying to deal with the attack – local emergency operators experienced 4,400 calls about the sirens, including 800 calls within 15 minutes at around midnight.

Botnot hacks, takes control of IoT devices in widespread attack

A group of rogue hackers taking over a city’s siren system pales in comparison with this next incident. In late 2016, reports began to surface about the Mirai Botnet, a considerably powerful malware strain with the ability to attack and use infected IoT devices to launch subsequent attacks.

Security expert Brian Krebs reported in November 2016 that Mirai had successfully taken control and was leveraging poorly secured IoT devices including inherently underprotected internet routers and IP cameras. In fact, Mirai became so powerful that Krebs’ own website was taken offline that fall by a 620 Gpbs Mirai botnet attack.

“When systems aren’t protected correctly, they could be used in a way that wasn’t intended.”

Not long after, reports began to surface about Mirai attacks taking place in Liberia, with malicious activity centering around the nation’s telecommunications infrastructure.

“From monitoring we can see websites hosted in country going offline during the attacks,” wrote Kevin Beaumont, an England-based security architect, according to Krebs. “Additionally, a source in country at a Telco has confirmed to a journalist they are seeing intermittent internet connectivity, at times which directly match the attack. The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state.”

Several other outlets began to cover the story – including The Hacker News, the BBC and ZDNet. However, Krebs dug a little after being unconvinced of Mirai’s ability to take out an entire nation’s telecommunications infrastructure. Sources confirmed that hackers behind Mirai leveraged the botnet for a 500 Gbps attack against a mobile service provider in Liberia, but the company had DDoS protection in place that was put into action not long after the attack began.

While Liberia did not experience a nation-wide outage, the Mirai botnet and this incident does offer up a few very important takeaways. Mirai demonstrates just what malicious actors armed with the right malware can do with insecure IoT devices – the infection gleaned its attack power thanks to the devices making up the botnet and supporting its activity. In this way, it’s imperative to properly safeguard every connected device, from large systems to individual endpoints.

Mirai also shows the potential that exists for hackers within city- and state-level critical infrastructure. Attacks on systems like these are not unique, but are growing in frequency and severity.

To find out more, check out Trend Micro’s research, including “US Cities Exposed: A Shodan-Based Security Study on Exposed Assets in the US.”