The idea of an Internet of Things (IoT) botnet is nothing new in our industry. In fact, the threat has been discussed for many years by security researchers. It has only now gained public attention due to the release and rampage of the Mirai botnet. Since Mirai broke the 1Tbps mark in late 2016 the IoT threat has become a popular topic of conversation for many industries that utilize connected devices. Not only are companies worried about if their devices are vulnerable but they are also worried if those devices can be used to launch a DDoS attack, one possibly aimed at their own network.
There have been two key outcomes since the publication of the Mirai’s source code. One is that it has given everyone the ability to easily build and customize their own IoT botnet. Second is that it has created demand for a security standard for IoT devices. Most of these IoT devices are infected within minutes of being connected to the internet and most users do not know how to secure the devices themselves.
Spreading the epidemic.
Digital vending solutions and kiosks around the world are rapidly becoming more advanced. Some of these devices are connected to the internet with a mobile router so they can help improve accuracy and efficiency of the service by collecting and storing data. Companies using this new technology can connect to these devices to view sales reports, check inventory and monitor service issues. Unfortunately, in a rush to connect everything some of these devices used for remote monitoring have been found to have multiple vulnerabilities including weak credential management. This left these new smart solutions exposed online to attackers.
Botnets like qBot, Hajime, Mirai and others target these smart solutions by using scanners designed to locate connected devices with exposed ports and default credentials. Once infected these devices look to spread their malware and persistently target more and more devices every day. The IoT botnet scanners will look for vulnerable devices connected to the internet and attempt to gain access by brute forcing the login with a set of default passwords. Once it gains privileged access it will load the malicious source code appropriate to the architecture and enslave the device into the botnet.
Since we started tracking the Mirai botnet we have monitored 2,790 attacks, most of which are basic UDP flood and DNS water torture attacks. When Mirai was released, the scanner included 61 default passwords. All a bot herder has to do is collect and add more default credentials from other manufacturers to a scanner and they will be able to enslave new devices into their botnet.
Why is this happening?
The problem with IoT devices is that they are always on, 24/7, and can produce large scale attacks when infected. Unlike a PC botnet, when an IoT bot herder wants to launch an attack, they will have most of the infected devices online and ready to go. The increase of available devices participating in an IoT attack, in combination with faster internet connections, can result in massive 1Tbps DDoS attacks. These devices are scanned, targeted and infected within minutes of being activated and connected, and are attacked hundreds of times a day by other IoT devices that have already been infected.
IoT devices are sold vulnerable in the form of number of services and ports that are open by default. Users who don’t know to change default passwords immediately will hardly be able to know how to reconfigure the device and close specific ports.
IoT devices are sold with very weak credentials. They are often root:root or admin:admin and are hardly ever changed by the end user when deployed. Once these devices become infected, the malware will change the default password to prevent the user from logging in and to prevent other attackers from taking over their infected bots.
Since the publication of Mirai, a number of attackers have deployed their own IoT botnets and are actively scanning and looking for new victims. Even just a botnet with a few thousand infected IoT devices could cause major problems for businesses – from mere resource consumption to significant service degradation or even a complete outage. Even worse, DDoS-for-Ransom groups are now using IoT botnets like Mirai as intimidation in their ransom notes.
The IoT threat is a serious one but one that can be simply resolved. While it’s almost impossible to educate everyone on how to change their user name and passwords on these devices, it is possible for manufacturers to incorporate security features into the design and production of these devices, in particular security telnet communication and its associated ports. Default passwords must be random and users should be advised with simple instructions on how to change them.
We also recommend home users take these four steps to better prepare:
• Stay current – Update firmware and software regularly
• Authentication – Use unique credentials for each device
• Configuration – Close unnecessary ports and disable unnecessary services
• Segment – Create separate network zones for your IoT systems
Read the 2016–2017 Global Application & Network Security Report by Radware’s Emergency Response Team.
Daniel Smith is an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.