Post-Mirai, how to better protect your IoT devices

Get clued up about the internet of insecure things.

Yasin Soliman

Post-Mirai, how to protect your IoT devices

Our interconnected world

Connected cities, networked cars and smart fridges. A composite mesh of gadgets and components which talk to us over the internet, the Internet of Things (IoT) has been around for some time – albeit in a fragmented fashion.

The 1980s saw thoughts on connecting “everything from home appliances to entire factories” described in the IEEE Spectrum magazine, along with valuable work on vehicle identification from MIT. British technologist Kevin Ashton first coined the IoT term while working at MIT’s “Auto-ID Labs” in 1999.

Abstract visions of amalgamation have prompted huge development in the IoT realm; smart grid technology hopes to pave the way for a truly interconnected world. Gartner estimates that there will be over “20 billion devices” on the Internet of Things by 2020.

Sign up to our free newsletter.
Security news, advice, and tips.

However, the technological impact of these developments is already becoming clear; ARIN became exhausted of IPv4 addresses in the summer of 2015. We see how dynamic systems and IoT services have accelerated the world’s transition to IPv6.

Skepticism and concerns

Put aside the mountain of buzzwords and pipe dreams for a moment – with cutting-edge developments come new challenges. IoT has prompted concerns not just in the environmental and societal realms, but in design, privacy and information security.

Likely due to the influx of horrendous Kickstarter IoT projects and vendor malpractice, I remain skeptical as to the benefits of convergence. Even though some smart devices and “Big Data” have credible use cases, IoT is being developed in haste.

Security considerations are being shunted aside in favour of shiny Wi-Fi enabled toasters and motion-sensing DVR units. Malicious actors have prepared for a time where IoT is permeating fields such as healthcare, education and automotives. We must move with the times.

In today’s article, we’re going to look at the Mirai botnet before going over a handful of tips on how you can stay safe.

Mirai: a real-world case study

The website of cybercrime blogger Brian Krebs came under attack on September 20th. A distributed denial-of-service (DDoS) clocking in at 620 Gbps, the attack was “launched almost exclusively by a very large botnet of hacked devices.”

From skimmers to spam, Brian’s in-depth research and analysis is always a must-read. It’s great that KrebsOnSecurity is now up and running under the protection of Google’s Project Shield; check out his post on The Democratisation of Censorship for a full discussion.

But just because Krebs managed to secure himself doesn’t mean others could escape Mirai’s wrath.

On Friday, another devastating DDoS attack against the Dyn domain name service disrupted access to some of the world’s most popular websites.

The core botnet behind the attacks is Mirai, named after the Japanese word for “future”; several instances of reference to “anime pop culture” also surfaced in the earlier release of Mirai’s source code.

Researchers such as @MalwareTechBlog, Akamai Security and the team at Incapsula are working hard on comprehensively examining Mirai’s inner workings.

The Incapsula research is complemented by an array of graphs and diagrams; most notably the map of infected devices ensnared by Mirai. As we have seen, Mirai spreads to smart devices by identifying those with hardcoded credentials, factory default passwords and some vulnerability to classic exploits.

Tips on staying safe

Change default device passwords

Graham Cluley’s article earlier this month on the “60 dumb passwords that can hijack over 500,000 IoT devices” forms the basis of my first tip. If you’ve got any IoT devices at home or work, find out if the default credentials are still in use.

Hopefully the user manual or online documentation provides some insight into how to change these; some devices might have a separate “remote access” password (which allows a malicious actor to log in via SSH).

Avoid a single point of failure

One vulnerable device could allow an attacker to penetrate your home network and pivot to other devices. Keep passwords complex and unique to minimise the effect that a single compromise could have.

Keep your devices at home

If you haven’t got permission from your employer’s IT department, avoid connecting smart devices to the office network. This is a huge shadow IT concern which could lead to major ramifications if an issue arose.

Look out for UPnP

Check for “Universal Plug and Play” features and turn these off. Prevalent on older smart gadgets, UPnP often surfaces as a default option on IoT device web interfaces.

Check software updates and patches

Finally, keep your IoT devices updated with the latest vendor firmware. If you’ve decided to purchase a new smart device, take a moment to check for updates and install anything applicable – avoid opting for “Remind Me Later.”

Researcher at heart, Yasin Soliman lives and breathes information security. You can find him on Twitter at @SecurityYasin.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.