botnets.

Internet of Things (IoT)—an emerging network of devices (e.g., printers, routers, video cameras, smart TVs) that connect to one another via the Internet, often automatically sending and receiving data

Recently, IoT devices have been used to create large-scale botnets—networks of devices infected with self-propagating malware—that can execute crippling distributed denial-of-service (DDoS) attacks. IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks.

On September 20, 2016, Brian Krebs’ security blog (krebsonsecurity.com) was targeted by a massive DDoS attack, one of the largest on record, exceeding 620 gigabits per second (Gbps).[1] An IoT botnet powered by Mirai malware created the DDoS attack. The Mirai malware continuously scans the Internet for vulnerable IoT devices, which are then infected and used in botnet attacks. The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices.[2] The purported Mirai author claimed that over 380,000 IoT devices were enslaved by the Mirai malware in the attack on Krebs’ website.[3]

In late September, a separate Mirai attack on French webhost OVH broke the record for largest recorded DDoS attack. That DDoS was at least 1.1 terabits per second (Tbps), and may have been as large as 1.5 Tbps.[4]

The IoT devices affected in the latest Mirai incidents were primarily home routers, network-enabled cameras, and digital video recorders.[5] Mirai malware source code was published online at the end of September, opening the door to more widespread use of the code to create other DDoS attacks.

In early October, Krebs on Security reported on a separate malware family responsible for other IoT botnet attacks.[6] This other malware, whose source code is not yet public, is named Bashlite. This malware also infects systems through default usernames and passwords. Level 3 Communications, a security firm, indicated that the Bashlite botnet may have about one million enslaved IoT devices.[7]

With the release of the Mirai source code on the Internet, there are increased risks of more botnets being generated. Both Mirai and Bashlite can exploit the numerous IoT devices that still use default passwords and are easily compromised. Such botnet attacks could severely disrupt an organization’s communications or cause significant financial harm.

Software that is not designed to be secure contains vulnerabilities that can be exploited. Software-connected devices collect data and credentials that could then be sent to an adversary’s collection point in a back-end application.

Cybersecurity professionals should harden networks against the possibility of a DDoS attack. For more information on DDoS attacks, please refer to US-CERT Security Publication DDoS Quick Guide and the US-CERT Alert on UDP-Based Amplification Attacks.

Mitigation

In order to remove the Mirai malware from an infected IoT device, users and administrators should take the following actions:

  • Disconnect device from the network.
  • While disconnected from the network and Internet, perform a reboot. Because Mirai malware exists in dynamic memory, rebooting the device clears the malware [8].
  • Ensure that the password for accessing the device has been changed from the default password to a strong password. See US-CERT Tip Choosing and Protecting Passwords for more information.
  • You should reconnect to the network only after rebooting and changing the password. If you reconnect before changing the password, the device could be quickly reinfected with the Mirai malware.

Preventive Steps

In order to prevent a malware infection on an IoT device, users and administrators should take following precautions:

  • Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
  • Update IoT devices with security patches as soon as patches become available.
  • Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.[9]
  • Purchase IoT devices from companies with a reputation for providing secure devices.
  • Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
  • Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected.
  • Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.[10]
  • Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.


US-CERT Alerts

Internet of Things devices are starting to pose a real threat to security for the sensible part of the web, Akamai's chief security officer Andy Ellis has told The Register.

Speaking in the aftermath of the large DDoS against security journalist Brian Krebs, Ellis elaborated a little on the makeup of the botnet which took down Krebs' website, saying it was mostly made up of hacked Internet of Things devices.

“We've noticed a strong overlap between the attack … and one of the botnets that we have been working at in modelling,” Ellis told El Reg, as he named the Kaiten malware as one of the vectors involved in the Krebs attack.

Kaiten has long been known as a source of IRC-controlled DDoS attacks. While the original chiefly targeted routers, this latest version also “targets DVRs and some cameras” according to Ellis.

During the attack against Krebs, Akamai jettisoned him from their DDoS mitigation service with two hours' notice. Krebs was a pro bono customer and the sheer volume of traffic – 620Gbps – threatened to affect services for Akamai's paying clients. Krebs later said he didn't blame Akamai for taking the action they did, even though Google stepped in with its Project Shield service.

“This is a very concerning thing, looking at the prevalence of IoT and the ability for [the Krebs attackers] to throw around this volume of traffic,” Ellis said. “More research is being done on the adversary side to find out how to better take control of IoT devices, whether by means of a brute force attack using a known and common credential such as the [default] admin password, which gets them into a handful of routers out there, and then [the attackers start] leveraging the bandwidth of these end users.”

The chief problem for DDoS mitigation outfits trying to defend against IoT botnets is that with so many devices potentially falling under the control of miscreants, it is straightforward for the attacker's traffic to masquerade as legitimate web traffic.

“Compromised IoT devices … have the ability to source traffic from the same IP address as a legitimate user,” said Ellis, “which obviously gives the advantage that it stops [attackers] from being trivially filtered. I don't think I'm giving anything away when I say that when you're protecting a web server, any traffic coming in that's not related to web traffic is very deep and easy for you to drop. And the more that an adversary can look like a legitimate user, the more difficult it becomes, the more resources you have to expend to identify that that's an attacker and mitigating it.”

Culture change needed in IoT architecture

Part of the problem is the sheer difficulty of patching and updating IoT devices to take advantage of the latest vuln plugs.

Ellis said: “If you have an iPhone it auto updates in the background and you press OK and it takes care of it for you. We've become so used to that on the internet of general purpose computing devices that when we look at the Internet of Things – or as one of my colleagues likes to call it, Things on the Internet – there aren't devices built into that same robust infrastructure.”

Then he spelled out the painful upgrade process for most current IoT devices:

If I want to patch them, I need to go to the vendor website, hunt for my model of device, download an executable to my desktop and run it, when the executable will open a network hole and patch, upgrade the firmware on my device. You walk through that and to you and I that probably seems like, 'that's painful but at least I understood what it was I was doing'.

For most users that's a really challenging thing. They're not professional systems administrators. Why do we expect them to treat these devices the same way that a systems administrator treats enterprise-class routers?

He also said that IoT devices ought to be “deployed in a fashion that makes them automatically udpate and keep themselves secure all the time.”

As for the Krebs hack, does the widespread use of an IoT botnet mean that the whole concept of IoT security is fatally flawed? Do we need to trash it all and start over?

“We don't know for certain that every machine involved in this was IoT; it's quite possible that the attacker spliced together a botnet including traditionally compromised servers as well as these IoT devices,” Ellis concluded. “Hopefully we'll learn more as we dig through the data.” ®

Sponsored: Application managers: What’s keeping you up at night?


The Register - Security