Within the last decade we have seen a massive influx of ‘smart devices’ entering the consumer sphere, providing convenient solutions for users. The applications for these smart devices are likely boundless. A few of the more prominent examples include: smart appliances like thermostats, refrigerators, or even wireless controlled light bulbs, smart wearable devices, or smart home devices like Amazon’s Alexa or Google’s Echo. It is becoming a reality where fewer and fewer products don’t have an associated API with them. As these Internet of Things devices are designed and marketed largely to provide convenience, making them Plug and Play has unfortunately left data security as little more than an afterthought.
Internet of Things (IoT) devices are being targeted with increasingly effective attacks that aim at exploiting their vulnerabilities and assembling botnets with them. In recent years the size of botnets has increased from an average of around 20,000 machines to anywhere between 100,000 to 30 million machines. In most cases the botnets of IoT devices have been used in generating spam, harvesting data, or to conduct Distributed Denial of Service (DDoS) attacks. More recently, however, there is a trend where attackers are hijacking the device’s computing power (both the CPU and GPU) to be able to effectively split a brute force job amongst millions of participating machines in a botnet. This can empower an attacker with incredible amounts of computational power. An attacker may control and direct their botnet with command and control (C&C) software, directing this aggregate of processors towards tasks like cracking cryptographic hash functions or ‘mining’ for cryptocurrencies (the process of hijacking a device’s CPU to mine cryptocurrency is known as ‘cryptojacking’).
Botnets and High Speed MD5 Hash Cracking
To demonstrate this power in terms of hash generation, we can approximate that a typical home computer can yield an average hash generation rate of 50 Million hashes/second. A relatively small sized botnet by today’s standards of 20,000 computers would yield around 1,000 Billion hashes/second. Including higher performance computers and larger scale botnets in these hash generation rates will lead to even higher the hashes/second. In addition to using large-scale parallel computing for targeting single hashes or cracking authentication measures, an attacker may distribute password databases throughout their botnet and use them for brute force password cracking purposes. This could potentially render entire credential databases cracked within very small time frames.
The way a cryptographic hash function works is that it takes an arbitrarily long message and returns a fixed size string. For example, regardless of its input the MD5 algorithm will always return a hash that is 128-bits long (or a fixed size string of 32 hexadecimal characters). What this means is that while there is an infinite possible number of inputs to run into the MD5 hash algorithm, there will be a finite amount of possible hashes. Therefore it is inevitable to eventually generate hash collisions. A birthday attack is a cryptanalytic technique which helps make brute forcing one-way hashes, like MD5, much easier by exploiting the mathematics behind the birthday paradox in probability theory. These attacks are effectively used to find collisions with high probability in hashing algorithms, thus greatly reducing their complexity. The birthday attack is an example of how the processing power behind botnets can supplement mathematical attacks on cryptosystems.