Understanding IoT botnets

If you were online on Friday October 21st, you were probably affected by the DDoS attack against managed DNS provider Dyn.

Dyn observed that tens of millions of IP addresses participating in the attack were from IoT devices infected by the Mirai botnet. But what exactly is an IoT botnet? What was so different about this DDoS attack and why does it have security professionals so worried?

A botnet is a collection of connected devices which have been infected with malware that allows an attacker to gain remote control and coordinate their actions. Attackers most commonly use their botnets to launch DDoS attacks, but they can also be used to send spam emails, sniff out sensitive passwords, or spread ransomware.

Botnets are created when a victim’s computer or Internet-connected device is infected with a botnet virus or worm. Some botnets are able to self-propagate, finding and infecting vulnerable hosts automatically. Other botnets require a user to unknowingly infect their own computer by installing malware.

IoT offers a new avenue of attack

The rapid proliferation of IoT devices and their lack of security opens up a brand new avenue for botnet creators, and we are now starting to experience the resulting impact. The Mirai botnet that took down Dyn is believed to be created with the same malware that launched two record-setting DDoS attacks in September against the KrebsonSecurity.com and French webhost OVH.

The Mirai botnet follows the same formula of most botnet malware by performing two main functions; growing the botnet by finding and infecting more vulnerable hosts, and launch DDoS attacks using the infected hosts. Where Mirai and other IoT botnets differ from traditional Windows-based botnets though is their devastating effectiveness in spreading to a huge number of IoT device hosts.

In comparison to traditional Windows-based botnets, IoT botnets flourish thanks to a lack of security by design with most IoT devices. Many IoT manufacturers don’t have experience securing network connected devices and often opt for off-the-shelf, embedded operating systems without default settings and exposed network services.

To cap it off, the simplistic designs and functions of most IoT devices lead to users configuring them with the default or easily guessed passwords, leaving them wide open to brute-force takeovers by attackers. When consumers connect these IoT devices directly to the internet (an unfortunately common practice with IoT security cameras for example) they become exposed to every vulnerability and botnet scanner in use.

To make matters worse, it’s very difficult to tell when an IoT device had been infected with botnet malware. With personal computers, the user can typically discover a malware infection through normal use when the machine begins behaving erratically or issues with host-based antivirus detection start to crop up. But users usually interact with IoT devices through a limited web-based GUI rather than accessing the embedded OS, so this lack of interaction allows botnet infections to go unnoticed for extended periods of time.

How Mirai works

The creator of the Mirai botnet recently released the source code for command and control server and the botnet client itself, allowing us a look into exactly how this malware functions. When a host becomes infected by Mirai, the malware starts by killing all other competing malware infections on the device, probably to free up resources for more effective attacks from the infected host.

Mirai then uses the infected host to scan for other vulnerable hosts on the internet and attempts to gain access using a brute force dictionary attack of common usernames and passwords. Once it gains access to a vulnerable host, it installs the Mirai malware and adds the new host to the botnet. While self-propagating, Mirai also checks in with a Command and Control server for instructions and then launches DDoS attacks against designated targets.

IoT botnets are here to stay

Attackers will likely invest more resources into taking over the hordes of IoT devices added to the Internet every day. Industrial IoT device manufacturers need to use the recent attacks as a wakeup call to refocus on securing their products. At a minimum, manufacturers should remove unnecessary network services and include ways to easily or automatically patch security vulnerabilities in their products.

IoT consumers should treat their devices similarly to their personal computers when it comes to security best practices. Here are a few simple steps you can take to make your new smartwatch or connected home gadget more secure:

• Avoid connecting IoT devices directly to the internet without a firewall.
• Remove the default password for your devices and set strong, hard to guess passwords.
• Update the firmware on your IoT devices regularly if your manufacturer releases security patches.

It will take a combined effort of manufacturers and consumers to slow the spread of IoT botnet malware, but it is possible. Until then though, the October 21st Dyn attack may be just the start of things to come.