#WednesdayWisdom: Protect your IoT devices from becoming part of a botnet

Welcome to Threat Intel’s #WednesdayWisdom column, a weekly read to help improve your cybersecurity knowledge and keep you informed on important developments.

The Internet of Things (IoT) has been in the spotlight lately, but not for positive reasons.

It has attracted a lot of attention due to many IoT devices being exploited to create botnets to carry out distributed denial of service (DDoS) attacks. The most recent high-profile example has been the Mirai botnet, which has been used to carry out a number of high-profile attacks. These attacks were facilitated by the weak security of many IoT devices.

What is a botnet?

A botnet is an interconnected network of devices, infected with malware without the user’s knowledge and controlled by a bot ‘herder’ or ‘master’. They can be used to send spam emails, transmit malware, or carry out DDoS attacks.

Your malware-infected IoT device, to its bot ‘master’

Previously, a botnet was made up of infected computers, but since the dawn of the Internet of Things, attackers have a wider range of devices to choose from: internet-connected webcams, DVRs, and routers can all be exploited by attackers.

Mirai first came to notice following an attack on Krebs on Security, the website of security journalist Brian Krebs. A huge DDoS attack against the site reached 620 Gbps, the biggest-ever DDoS attack recorded at that time, but this record was quickly usurped by an attack on French hosting provider OVH, which also leveraged Mirai. This attack peaked at 1 Tbps.

The source code for Mirai was publicly released on hacking community Hackforums on September 30.

It was then utilized in a huge attack against DNS provider Dyn that took down much of the internet for a time — including websites such as Netflix, Spotify, and PayPal.

CCTV cameras are believed to have been the device primarily used to attack OVH, while webcams infected with Mirai are thought to be the primary device used in the Dyn DDoS attack.

One way to get attention is to interrupt viewers’ Gilmore Girls or Narcos marathons. For most people, the Dyn attack was the first time they became aware of the danger that IoT presents.

Netflix going down inspired some people to find out more about the DDoS attack that led to it

DDoS attacks work by overwhelming a website with traffic, to the point where its servers cannot cope and it’s forced offline. IoT devices are particularly convenient for attackers looking to carry out DDoS attacks, as the security on them tends to be weak at best, if not non-existent.

Whereas once attackers had to overcome the many security systems of personal computers to establish botnets, the ease of hacking IoT devices has made life a lot easier for hackers with malicious intent.

Why is IoT rich pickings for hackers?

IoT devices are a hacker’s dream for a few reasons. Processing power limitations and basic operating systems mean many of them don’t have advanced security features. As they are often designed to be plugged in and forgotten about, owners often don’t apply security updates. It’s easy for infections on such devices to go unnoticed as they rarely impact on the device’s operation.

Recent research by Symantec indicated that default user names and passwords for IoT devices are often never changed.

Attackers are wise to this and now often pre-program their malware with commonly-used user name and password combinations.

Mirai, for example, is pre-programed to try a list of at least 62 user name and password combinations, most of which are commonly-used default credentials for IoT devices.

Clearing an IoT device of malware can often be as simple as restarting it. However, data from Symantec shows that the average IoT device is scanned by attackers every two minutes. This means that a vulnerable device could be compromised within minutes of going online and, if you restart your device but don’t change your password, it could be re-infected within a matter of minutes.

So, how can I stop my IoT device becoming part of a botnet?

• Research the capabilities and security features of an IoT device before purchase
• Perform an audit of IoT devices used on your network
• Change the default credentials on devices. Use strong and unique passwords for device accounts and Wi-Fi networks. Don’t use common or easily guessable passwords such as “123456” or “password”
• Use a strong encryption method when setting up Wi-Fi network access (WPA)
• Many devices come with a variety of services enabled by default. Disable features and services that are not required
• Disable Telnet login and use SSH where possible
• Modify the default privacy and security settings of IoT devices according to your requirements and security policy
• Disable or protect remote access to IoT devices when not needed
• Use wired connections instead of wireless where possible
• Regularly check the manufacturer’s website for firmware updates
• Ensure that a hardware outage does not result in an unsecure state of the device

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.