When the ‘Things’ in the ‘Internet of Things’ become weaponised

weoponAt a recent forum, a very simple question was asked of one of our Cyber Security Consultants; “Is it really ‘that’ important to secure our IoT devices?”  Whilst the answer may seem quite obvious, the real question is why? Why is it ‘that’ important to secure our IoT devices? What could possibly go wrong with insecure deployments?

In late September, the Internet experienced one of the largest Distributed Denial of Service (DDoS) attacks on record.   Just like so many DDoS attacks before it, this attack was powered by sophisticated malware, which not only saw a number of websites experience costly disruptions, but has also seen mutations of the malware knock an entire country, Liberia, offline.

So what makes this malware stand out from previous attacks, and what does this have to do with the question of ‘Why is it so important to secure our IoT devices?’  In response to the first part of the question, the significant difference with this malware is that the Mirai botnet not only contains hundreds of thousands of infected devices, it also contains hundreds of thousands of infected ‘Internet of Things’ devices.

In order to answer the second part of the question, ‘Why is it so important to secure our IoT devices?’, one of our Cyber Security Consultants has examined the source code of the Mirai malware, and subsequently connected vulnerable devices insecurely to the Internet for a 12-hour period in order to fully understand how significant the real-world risk is to businesses who have devices which are not securely connected.

The following findings were identified over the twelve hour period our vulnerable ‘Internet of Things’ devices were connected to the Internet:

  • The first identified Mirai infection took only 6 seconds!
  • 18 unauthorised login connections were successfully made to the IoT devices within the first 30 seconds of insecurely connecting the devices.
  • In the first 60 seconds of insecurely connecting the IoT devices, 22 infections were successful.
  • In total, 2749 unauthorised connections were successfully made, 2678 of which contained the Mirai malware, or a mutated form of the malware.
  • Only 4 unauthorised connections, equating to 0.15% of all connections, were identified as being made by human attackers.
  • 99.85% of connections were automated or scripted.

graph-1

  • Over the period of the research, identified Mirai malware infections came from a total of 22 different countries, with the Republic of Korea and Russia being the greatest source of unique IP address.

graph-2

  • A total of sixty-two (62) different username and password combinations are hardcoded into the Mirai malware. The majority of the identified passwords are considered default manufacturer credentials for IoT devices.

graph-3

While we expected to see some number of infections during our research, we were not prepared for the amount of infections which would occur over such a short period of time.  Initially we defined the window of testing as a period of two weeks, however this was dramatically reduced to twelve hours once the obscene volume of malware and infection attempts was realised.

Without question, the results clearly showed that the current real world risk to businesses is significant.  Insecurely connecting ‘Internet of Things’ devices will result in immediate infection and subsequent unauthorised control by a malicious actor.

What can I do if I suspect my device/s may be infected? 

  1. Disconnect any device from the network and reboot the device. The Mirai malware is resident in the devices memory, and as such rebooting the device will clear the malware.
  2. Once rebooted, immediately log onto the device and change the default manufacturer password to a strong and complex password.
  3. Disable remote administration on the device from the Internet.
  4. Before reconnecting the device, determine whether the device actually needs to be directly connected to the Internet. Adhere to best practices when placing devices into segmented and protected network zones.
  5. Harden networks against DDoS attacks.
  6. Use internal capability, or engage with a reputable IoT security specialist to perform a discovery and security assessment of your IoT or OT environments.

Mirai has seen the Internet of Things battlefield change significantly, and whilst we continue to experience the adoption of connecting ‘things’ to the Internet grow at a substantial rate, it is safe to say we have only just begun to understand the destruction which can be caused when the Internet of Things becomes weaponised.

Author
Mark Cross
Cyber Security Consultant
RIoT Solutions


About

Mark Cross

Mark is a skilled offensive security and industrial control systems specialist with over 20 years’ experience in the IT industry.  He has delivered Attack Simulation and Social Engineering engagements for large critical infrastructure providers, resulting in the identification of extreme risks to both the business’ reputation and the IT/OT environments. 

Mark has recently identified several key 0-day vulnerabilities in critical infrastructure, and has performed in-depth analysis and reporting on significant malware outbreaks.  He has a strong interest in understanding the latest attack vectors, and often participates in capture the flag and other hacking challenges, enabling him to deliver relevant, up-to-date knowledge and guidance to our clients and the RIoT Solutions team.

RIoT Solutions

RIoT Solutions is a specialised integrator of robust and resilient Internet of Things (IoT) solutions within Australia. Providing the “Digital Plumbing” of Operational Technology (OT) and Information Technology (IT) infrastructures we bring together the industrial and IT networks through technical architecture, design, implementation, assessment and managed services to deliver smart and connected outcomes.

With a team of expert network architects and engineers and highly skilled cyber security consultants, RIoT Solutions are the experts at Securely Connecting Everything™ with our high calibre of people and specialised skills across both traditional IT and OT fields.[/fusion_text]