By Nick Murray, Demetrio Milea, Peter Tran and Davide Veneziano
In Part I, How IOT Can Take Down The "Global Information Grid" Back Bone, we discussed the mechanics of DNS in context of the Dyn DDoS attack. In Part II of this blog, we will dive a bit deeper into the anatomy of the Mirai botnet and the scale of impact to the Internet of Things (IoT).
The source code for the Mirai botnet has been in the public domain through various online communities such as HackForum, as of September 30, 2016. The release of the source-code allowed security researchers to analyze its core structure and identify its unique characteristics. Researchers at RSA Security's First Watch conducted analysis into what made the Mirai botnet tick, and also assessed what potential approaches can be taken to defend against future attacks that may leverage similar functioning malware.
Mirai is an Internet of Things (IoT) botnet that consists of simple, passive internet-enabled devices such as surveillance cameras and simple peripheral hardware, whereas most other botnets consist of only servers and workstations. The malware has the capability to carry out different types of DDoS attacks such as Network Layer and Application Layer based attacks. It targets Linux-based IoT devices that utilize default password credentials. Mirai contains 61 usernames and passwords used to brute force into IoT devices. After Mirai has successfully logged in to a devices it will attempt to remove any other malware that has infected the device as to maximize the device's computing power and prevent any unforeseen issues. Interestingly enough the code reveals Mirai will try to find and remove a similar competing malware known as "Anime." Mirai will also close ports 22 and 23, which prevents remote login using SSH and Telnet. It will remain in memory where it waits to receive instruction from the Command and Control (C2) server. Given that the malware only resides in memory, rebooting the device should remove the malware from it, but malware persistence for Mirai hasn't been completely determine at this time.
There are various other anomalies that have been revealed in the code such as Russian character strings used to describe the username and password login fields. Mirai also has a hardcoded list of IP addresses and ranges to avoid such as IPs belonging to the Department of Defense (DoD), other high-technology companies, and private IP ranges.
The code also reveals what appears to be a subscription service that is needed to use the botnet. This implies that the Mirai is a "for hire" service and for the right price, ranging from ($8-$100), anyone can use it.
In the complex range of IoT connected environments, home users are by far the most unprotected - due to the security vulnerabilities in consumer grade IP cameras, smart TVs, refrigerators, and others. These devices tend to be the most overlooked and the first targets for a botnet attack like Mirai.
Let's take a DVR/TV set top box, as an example. Why is it exposed to risks? The risk is tied directly to the fact that the device requires a direct internet connection to function. The internet connection becomes a risk catalyst because of the passive functionality of a simple device on the periphery. As a result, basic authentication mechanism, insecure communication channels and inconsistent software developing practices more focused on delivering speed of functionality over security.
To date, there are approximately 22.9 billion IoT devices on the internet with a worldwide population of about 7.1 billion people. This averages out to be 3.2 devices per person and with an average family of four, this yields about 13 IoT devices per household globally.
The average house is becoming smarter, whether that be with home automation, smart TV, remote home video surveillance systems, Alarm systems, or smart climate control. All of these devices may be vulnerable to infection/attacks. IoT proliferation is expected to grow to 50 billion by 2020, which will nearly double the number of devices per person (rising to approximately 6.6 devices) resulting in an unmanageable attack surface.
The biggest issue with most IoT devices is that there is no easy or consistent way to patch,update, and/or to "harden" their security. With the quantity of these devices more than doubling in the next few years, there needs to be a fundamental change in how security is considered when designing the devices, as well as a switch in the mindset of individuals, private and public enterprises using them.
Both consumers and enterprises should carefully select their providers before acquiring an IoT based technology. Manufacturers must be clearly committed in providing updates and security patches as part of a formalized analysis and release program. Enterprises should also evaluate and agree upon specific SLAs/SLOs with the vendor to ensure the responsibilities are clearly defined. Equally important, users should be aware that an IoT device is actually a computer, thereby inheriting the same vulnerabilities and risks, requiring monitoring, detection and response. In Part III, we will discuss the specific areas to consider, to apply and embed security analytics at scale for IoT such as zoning, enclaves and the use of VIX for device vulnerability identification and trending. Stay tuned for more!