When the ‘Things’ in the ‘Internet of Things’ become weaponised

Posted: November 21st, 2016 ˑ Filled under: Infosec ˑ  No Comments

At a recent forum, I was asked a very simple question; “Is it really ‘that’ important to secure our IoT devices?” Whilst the answer may seem quite obvious, the real question is why? Why is it ‘that’ important to secure our IoT devices? What could possibly go wrong with insecure deployments?

In late September, the Internet experienced one of the largest Distributed Denial of Service (DDoS) attacks on record. Just like so many DDoS attacks before it, this attack was powered by sophisticated malware, which not only saw a number of websites experience costly disruptions, but has also seen mutations of the malware knock an entire country, Liberia, offline.

So what makes this malware stand out from previous attacks, and what does this have to do with the question of ‘Why is it so important to secure our IoT devices?’ In response to the first part of the question, the significant difference with this malware is that the Mirai botnet not only contains hundreds of thousands of infected devices, it also contains hundreds of thousands of infected ‘Internet of Things’ devices.

In order to answer the second part of the question, ‘Why is it so important to secure our IoT devices?’, one of our Cyber Security Consultants has examined the source code of the Mirai malware, and subsequently connected vulnerable devices insecurely to the Internet for a 12-hour period in order to fully understand how significant the real-world risk is to businesses who have devices which are not securely connected.

The following findings were identified over the twelve hour period our vulnerable ‘Internet of Things’ devices were connected to the Internet:

  • The first identified Mirai infection took only 6 seconds!
  • 18 unauthorised login connections were successfully made to the IoT devices within the first 30 seconds of insecurely connecting the devices.
  • In the first 60 seconds of insecurely connecting the IoT devices, 22 infections were successful.
  • In total, 2749 unauthorised connections were successfully made, 2678 of which contained the Mirai malware, or a mutated form of the malware.
  • Only 4 unauthorised connections, equating to 0.15% of all connections, were identified as being made by human attackers.
  • 99.85% of connections were automated or scripted.

  • Over the period of the research, identified Mirai malware infections came from a total of 22 different countries, with the Republic of Korea and Russia being the greatest source of unique IP address.

  • A total of sixty-two (62) different username and password combinations are hardcoded into the Mirai malware. The majority of the identified passwords are considered default manufacturer credentials for IoT devices.

While I expected to see some number of infections during our research, I was not prepared for the amount of infections which would occur over such a short period of time. Initially I defined the window of testing as a period of two weeks, however this was dramatically reduced to twelve hours once the obscene volume of malware and infection attempts was realised.

Without question, the results clearly showed that the current real world risk to businesses is significant. Insecurely connecting ‘Internet of Things’ devices will result in immediate infection and subsequent unauthorised control by a malicious actor.

What can I do if I suspect my device/s may be infected?

  • Disconnect any device from the network and reboot the device. The Mirai malware is resident in the devices memory, and as such rebooting the device will clear the malware.
  • Once rebooted, immediately log onto the device and change the default manufacturer password to a strong and complex password.
  • Disable remote administration on the device from the Internet.
  • Before reconnecting the device, determine whether the device actually needs to be directly connected to the Internet. Adhere to best practices when placing devices into segmented and protected network zones.
  • Harden networks against DDoS attacks.
  • Use internal capability, or engage with a reputable IoT security specialist to perform a discovery and security assessment of your IoT or OT environments.

Mirai has seen the Internet of Things battlefield change significantly, and whilst we continue to experience the adoption of connecting ‘things’ to the Internet grow at a substantial rate, it is safe to say we have only just begun to understand the destruction which can be caused when the Internet of Things becomes weaponised.

Tags: , , , ,