In Part 2 of our series on the dramatic, even historic impact of the Mirai Botnet:
- we took a deep dive on how Mirai was able to take advantage of factory-set passwords to proliferate across the web by recruiting IoT connected devices
- the capabilities that make Mirai so attractive to DDoS hackers
- how IoT devices, whether consumer focused or business-based are equally liable to risk from infection
- and finally, how to proactively avert an attack of IoT devices (e.g. a retry storm) on your network.
In this, our concluding post of this series, we examine which devices are being targeted by this malware, how to patch and update to prevent hacks, how manufacturers can be compelled to harden security, and what solutions from Pwnie Express can help you to find and detect at-risk IoT devices.
What products are being used to propagate botnets like Mirai?
On September 16, more than a month prior to the DYN-targeted attack by Mirai, renowned and respected site Krebs on Security was the subject of a huge distributed denial-of-service (DDoS) attack. Akamai engineers who protect the site from digital threats like this said it was among “the biggest assaults the Internet has ever witnessed.”
Its source code, later dubbed Mirai, was publicly released. This source code, significantly, illustrates which devices were targeted by the botnet including a list of usernames and passwords. Ultimately, 68 such pairs were discovered in the botnet source code and included those used by products such as routers, security cameras, printers and digital video recorder (DVRs).
As Krebs and others on his blog post about this event have commented, the Achilles’ heel that enables the rise of botnets like Mirai are hard-coded credentials and default usernames and passwords that most users can’t, won’t or don’t know how to change. Interestingly, several IoT device makes called out by Krebs in this post – among them Hikvision, Samsung and Panasonic — are increasingly beginning to require users to come up with unique passwords by default, similar to any other password used online and complete with a blend of upper and lowercase letters, numbers and special characters.
Likewise at risk are IoT devices, mostly in the home, that are configured to operate on behind a wired or wireless router. Even these, explains Krebs could be problematic as many IoT devices use a technology known as “Universal Plug and Play” that automatically opens virtual portholes that poke holes in the router’s shield that allows that device, even an IoT one, to communicate with the wider Internet. In this case, even Network Address Translation (or NAT) may not be enough to stop anyone from recruiting your IoT devices into a larger and potentially more damaging botnet.
While Krebs concedes there’s really no easy or simple way to tell whether any Internet connected device on your network is at risk from being compromised, he does offer up the following Tips and Tricks to consider in order to raise your level of visibility while lowering your level of risk:
- Turn the device off. Yes, reboot the system. Mirai is loaded into memory. As such, it's wiped out when the infected device is disconnected from its power source.
- Change the default password. This protects devices from being rapidly reinfected on reboot. In fact, where possible, Krebs advises resetting the device to the factory-default settings to ensure that if any malware has been uploaded to the device it will be wiped permanently.
- Update firmware. While few vendors make it easy for users to alert customers to the availability of firmware updates, it’s still a good idea to install automatic software updates and, where possible, users should also check for firmware updates. Some though not all of these updates can be accessed through the device’s web-based administration panel or via firmware updates manually via downloads from the manufacturer’s site.
How to patch and update to prevent hacks
Attackers exploit vulnerabilities to gain access and control over devices and then move laterally to gain access to valuable data and systems. Patching and updating devices is a critical aspect of minimizing the surface area of vulnerabilities that attackers can exploit.
IoT introduces a huge new number of devices whose vulnerabilities open up a vast new attack space for attackers. This is why IoT security is so importyant. Patching and updating IoT devices is a critical aspect of protecting attackers from gaining access and control over them. One big challenge, however, is that a typical IoT manufacturer is not a software or security expert and patching and updating is often a lower priority when compared to time to market and cost of the device.
As a result, much of the responsibility for updating an Internet connected devices remains with the user, although that burden may be shifting to manufacturers.
How can manufacturers be forced to harden security? What needs to be done?
This Threatstack post incisively breaks out the responsibilities users, manufacturers and even governments have in responding to and mitigating attacks like Mirai. The fact is that many Internet connected devices are increasingly insecure and at risk, some just waiting to be compromised — or recruited. In turn, this requires manufacturers to proactively step up to do more than sit by and hope their devices will never be involuntarily assimilated into a botnet army. These steps include:
Security needs to be integrated from the outset. Whether it’s within an organization’s infrastructure or IoT devices, manufacturers need to replace the current practice of shipping products that offer consumers no way to upgrade or protect themselves with products that can be upgraded.
Refocus on consumer security. Build that focus into the product development cycle as it’s generally not a lack of processing power that makes devices vulnerable, rather it’s a lack of will to build processing power into the devices in the first place. As Threatstack indicates, some manufacturers have already anticipated this need and have included a forced password reset on first login, or randomly generate a password per device.
Enable stronger credentials. As outlined in this GCN post, one of the easiest fixes from a manufacturer perspective is to enable and require better and stronger credentials, requiring consumers, at first use, to change up preset passwords with their own, hard-to-guess ones, something that simply can’t be reversed. One example would be an algorithm based off of a discoverable piece of information.
Establish and enforce accountability. The lack of accountability for IoT-based security breaches for manufacturers eventually needs to be addressed. As posited by the CEO of an endpoint security manufacturer, this lack of accountability becomes an economic and market correction issue that, sooner or later, the industry as a whole will have to deal with. It may also become a regulatory issue but that outcome, of course, may still be years away from being enforced.
Is there a solution that will find and detect these IoT devices?
As a matter of fact, there is :)
Whether they’re connected to your network or they simply arrive under the radar, IoT devices pose a threat to your environment.
Pulse Device Threat Detection provides the ability to detect all wired, wireless and Bluetooth devices on your networks as well as those not directly connected to them. Pulse also tracks all devices — their configurations, their vulnerabilities, their connection history — essentially the behavior of these devices and what they connect to.
Pulse also provides threat detection that identifies high risk devices in your environment including malicious devices, highly vulnerable devices, or even misconfigured devices. For example, Mirai leveraged an open Telnet service on IoT devices to gain access and control over them — a highly vulnerable service that should not be running on any device.
In other words, even if you have taken each of the precautions included in this series of posts, you still may find yourself at risk from your IoT devices joining a botnet army. While there is not yet a silver bullet to eliminate all or even most risk from compromised IoT devices (YET!), by partnering with professionals you can capably and for the long-term establish a defensive posture that repels distributed denial of service attacks from your own network or Internet connected devices as well as those knowingly (or unknowingly) brought into your environment.