News

Mirai: The Program That Makes IoT Botnet Zombies

January 05, 2017 by Robin Mitchell

There are malicious individuals creating "zombies" out of internet enabled devices using a program called Mirai. How can engineers and users stop it?

There are malicious individuals creating "zombies" out of internet enabled devices using a program called Mirai. How can engineers and users stop it?

The IoT Army

The Internet of Things is really taking consumers and designers alike to a whole new level of interconnectivity. Devices talk to each other, intelligent systems track your preferences to adapt, data streaming is used for analytical purposes. There are even one-button purchasing systems.

These devices pose next to zero threat on their own for any computer or data center, but a million of these small devices is a cyber army in its own right.

This is exactly what happened in October when an estimated 100,000-strong IoT device network was infected with malware and performed a DDOS attack on a DNS provider that resulted in several websites crashing, including Twitter and Netflix. It is believed that this attack was only possible because IoT devices typically have a default password that is very easy to break if left unchanged.

Most people who own IoT devices are not truly aware of, or appreciate, the seriousness of cyber security. Hackers exploit this ignorance for their own malicious purposes. The attacker(s) responsible for the IoT assault on the DNS server gained access to IoT devices using default passwords and installed a malware program called Mirai.

 

Smart IoT devices will be the next target for hackers in large-scale attacks

 

Mirai is a surprisingly simple, yet effective program which can create an IoT botnet effectively. First, the malware constantly scans the internet for IoT devices while excluding locations including the Department of Defense, the US Postal service, and other government-related sites (to avoid detection by authorities).

Once the program has identified IoT devices, it attempts to gain access using a table of more than 60 common usernames and passwords associated with IoT devices. Once access is achieved, the malware then copies itself to the device, rendering it a zombie in a cyber army. When the hacker is ready to perform an attack, all of the infected devices are given the IP address to attack, which often involves sending junk packets to the IP address.

This might be one of the first large-scale attacks of its kind but it is certainly not the last. With the number of internet-enabled devices expected to triple by 2020, hackers will potentially have access to 21 billion devices which only stresses the importance of security. So how can we as engineers prevent hackers from causing more hassle for everyone? How can individual users mitigate such attacks?

Engineers Are 10% of the Problem

When designing IoT-enabled devices, engineers should consider implementing security techniques that go beyond a default username and password.

As an example, IoT devices can be given a list of IPs that they are specifically allowed to communicate with, implementing IP sanitization after the generation of a request. In other words, Wi-Fi modules can incorporate a co-processor that receives all TCP requests before they are transmitted and compares the requests to a one-time programmed ROM table that determines if the request is to a valid IP or not. If a mismatch is found, then the device could be forced into a “cleansing reboot” which restores the device to factory defaults, effectively removing malware that may have found its way onto the device.

Other methods include the generation of unique usernames and passwords for each device, which is commonly found on BT routers (an effective method for preventing unauthorized access through default usernames and passwords). Specialized software or hardware can be used to detect DDOS attacks and either alert the user of the detection or trigger a factory reset. Implementing such techniques could be the solution to preventing future attacks, but is it fair for the designers to take all the blame? Are current security methods acceptable for preventing attacks with users themselves to blame instead?

 

Designers seriously need to consider security in internet-enabled devices.

Consumers Are 90% of the Problem

It's easy for non-savvy computer users to point fingers at security companies and engineers when security attacks occur. However, it has been estimated that up to 90% of computer attacks are a direct result of social engineering as opposed to security holes and improper design.

Social engineering involves hackers obtaining security information from individuals by gaining their trust or misleading them into giving up confidential information. One classic example is an “IT expert” who calls a computer user on the phone and announces how they are at risk from attack. Using clever language and manipulation, the attacker can obtain information regarding computer ID numbers, serial numbers, login information, and—in the most egregious cases—credit card numbers.

Other forms of exploitation include attachments in emails that many individuals click on without checking whether the email is from a legitimate source (for example, receiving an "IT support" email from instead of ), as well as clicking on links that describe certain body boosting enhancers or winning large sums of money.

 

By following basic security measures, the IoT could be made much more secure and safe

 

Therefore, preventing 90% of cyber attacks could be as simple as educating users who own or operate internet-enabled devices. To help with this, here is a small list of actions that individuals can take to strengthen their security and prevent attacks to both themselves and others:

  1. Use strong login passwords – Use random letters, symbols, and numbers.

  2. Use strong Wi-Fi passwords – It is surprising how many insecure connections there are these days.

  3. Keep all software up-to-date – Updating can potentially fix security flaws in systems.

  4. Don’t open email links – Unless you are expecting an email with a link that you need to use.

  5. Don’t open attachments – Unless you are expecting an attachment, don’t open it.

  6. Don’t subscribe to everything – Unless it's important, don’t sign-up to everything online.

  7. Don’t answer any questions – If you get a phone call about your computer, put the phone down.

  8. Don’t reveal card information – Unless you are purchasing something, don’t do it.

Summary

IoT security is something that has been ignored by most people (that includes engineers and consumers), which is why IoT attacks and botnets have already begun to emerge. If these attacks continue and are not addressed by developers and consumers alike, it will not be long before government intervention kicks in to mitigate the issue. Government regulation could arguably lead to more problems concerning restrictions on innovation and exploitation of privacy, which is why it is important that everyone takes responsibility for their own security.

So next time you purchase a smart toaster, ESP8266 module, or any IoT device for that matter, just think about how you can ensure that your device does not contribute to attacks that lose people money and services. An ounce of prevention is worth a pound of security.

3 Comments
  • Wiky5 January 05, 2017

    Nice article!
    What is your opinion on securing a wifi network with MAC filtering and a password? Is it overkill, good enough, a bad idea?

    Like. Reply
    • Robin Mitchell January 05, 2017
      Thanks for the read! MAC filtering would not help against an IoT attack (specifically, outbound communication) because the device would be listed as one of the allowed MACs. Best thing to do is ensure that your IoT device has a very strong password. Also, try to find out if there is a "reset" password or engineering code that allows for a complete reset of the device. If it does, find out if it can be changed. A classic example is home security systems. If the engineering code is left unchanged then someone breaking in can simply reset the system and enter a new passcode in seconds!
      Like. Reply
    • R
      RobTX January 19, 2017
      No, MAC addresses are readily visible in any over-the-air capture utilities and a MAC address, although burned into the wireless card's firmware from the factory, is easy to manually set on an interface so as to spoof an allowed host's MAC. Also, there is no point in hiding an SSID since it is also easily captured and hiding it only inconveniences the legitimate users. That said, always opt for WPA2 with AES encryption, with a pre-shared key (PSK) if that is all you're able to support, or opt for WPA2/AES with Enterprise RADIUS since it involves dynamic rekeying and per-user/per-machine authentication and authorization. If you go with WPA2-PSK, then make a habit of using long, really obscure string as the key and commit to changing it once a quarter. Do NOT use WPA(1) or TKIP, even as fallback to AES, nor WEP, as these have all been exploited for years now. Having a means to fallback to support legacy clients sounds good but you are sacrificing your entire security foot print to support a device, NIC, or router/AP which has outlived its usefulness and cannot be much of an expense to replace. HTH! I think designers could go a long way to deprecate some of these legacy features which are insecure although that depends upon users to know how to, care to, and faithfully execute firmware upgrades on an ongoing basis, but I digress...
      Like. Reply