A lot has happened in the world of IoT malware since expertIP last covered it in October. It crippled some of the largest sites on the Internet and laid low almost a million Deutsche Telekom customers — and the threat is only just beginning.
Mirai, the IoT malware that targeted security writer Brian Krebs’ website with more than 600 gigabits per second of DDoS traffic in September, went on to hit DNS infrastructure company Dyn in mid-October, taking several of the largest websites offline. And it did it by infecting relatively simple devices connected to the Internet such as digital video recorders, rather than PCs.
The thing is that Mirai wasn’t particularly sophisticated, according to reports. The malware contained a list of hard-wired default admin login credentials, and the version dumped online needed some tweaking to get it working. In spite of that, it still succeeded in making large waves across the Internet.
There have been other botnets targeting IoT devices in the past. At least one — Carne — was designed as a benign botnet to research how many accessible devices were online.
Others, such as Aidra and Bashlite, are more malicious. Bashlite, also known as Torlus, Lizkebab and Gafgyt, has infected up to one million endpoint devices, most of which are IoT devices such as cameras and DVRs. Even these early examples have led to device infections of epidemic proportions.
Now, in the wake of Mirai, new IoT malware is finding its way online, and it seems to be improving upon its predecessors. Linux/IRCTelnet lifts large chunks of code from Aidra, and also uses some logic from Bashlite that scans telnet ports for open addresses. It also scooped up the list of credentials from Mirai, and uses the Internet Relay Chat (IRC) communication channel to control infected machines.
Mirai itself is evolving, with new capabilities. A new strain of the malware targets a flaw in the Simple Object Access Protocol (SOAP), designed to target Zyxel routers. This malware is believed to have infected one or two million routers, but it didn’t work as planned for all devices. It attempted — and failed — to infect vast numbers of Deutsche Telekom’s routers, causing connection problems for 900,000 customers. Four to five per cent of its routers crashed, the firm said.
Now, hackers are starting to marshal IoT malware for clients. Two of them, nicknamed Poporet and BestBuy, are said to be advertising a Mirai botnet for hire with up to 400 machines allegedly at its disposal. This suggests the problem is going to get worse.
The danger with these iterative strains of IoT malware is that they will create still more infections and lead to even larger attacks. The attack surface for malicious IoT botnets is growing, says Kevin Lonergan, senior analyst with the infrastructure solutions group at IDC Canada.
“The number of connected devices is going to increase greatly over the next few years, and IDC estimates that the worldwide spend on IoT will surpass US$1.4 trillion by 2020,” he said. Hundreds of thousands of those devices will be susceptible to malware attacks, in large part because vendors are taking the easy route and using default admin login credentials.
What can we do to avert more IoT disasters? Cybersecurity consultancy Pen Test Partners, which has been analyzing Mirai, says that having ISPs block inbound access to port 23 (Telnet) may be a start, as it’s rarely used anymore (at least not legitimately).
However, it acknowledges this would encourage IoT malware authors to start querying port 80, which is often left wide open by routers configured with Universal Plug and Play (UPnP is commonly used for things like multiplayer online gaming).
Other measures include preventing IoT devices from displaying admin web interfaces locally, and instead forcing access via a central cloud-based service. That will make it easier for vendors to push firmware updates and fix some of the mistakes they’re making.
That’s all well and good, of course, but the problem is that for millions of IoT devices already in the field, it’s too late. Users will rarely if ever activate manual firmware updates, meaning the devices will stay vulnerable — and, in many cases, are already comprised.
In short, the Internet of Things is looking decidedly insecure, and that spells disaster if you don’t have a strategy in place to deal with it.