By Stefan Dubowski
Thwarting the IoT botnets:
How to protect your organization from malware
Late last week, widespread distributed-denial-of-service (DDOS) attacks on managed DNS provider DYN caused major internet outages and disruptions. With October designated as Cyber Security Awareness month, the timing couldn’t be more ironic. It was recently determined that the cause of the attack was the Mirai botnet, a malware designed to attack the Internet of Things — unsecured devices, including cameras, were targeted.
We’ve reached the tipping point for malware designed to attack the Internet of Things (IoT). These bad-news programs are no longer a matter of discussion for a handful of security experts. Now everyone’s talking about them. That’s because IoT malware is everywhere. Consider the spread of Mirai. According to Motherboard, this particularly infectious software has made its way into IoT devices in 177 countries (that’s 177 out of 196 in total).
Mirai was designed such that relatively unskilled hackers could use it to create botnets and launch distributed denial of service attacks. The software targets gateways, digital video recorders, surveillance cameras and other Internet devices by exploiting the insanely basic passwords they come with or which people assign to them — such as ‘admin,’ ‘123456’ and of course ‘password.’
Mirai isn’t the only topic of chatter. If you want to protect your organization’s web-connected infrastructure, here are a few other IoT malware facts you should know:
It sure does have an easy ride.
Security software and service provider Bitdefender pointed out in a recent report that IoT devices often have limited memory and compute resources. That means the equipment can’t always support complex and evolving security algorithms. What’s worse, device manufacturers often don’t provide long-term support or automatic firmware updates — which makes zero sense, since many of those vendors also say the devices are meant to stay in service for decades.
It’s platform agnostic.
In the past, hackers targeted computers that ran some variation of the ubiquitous Windows operating system. Nowadays, the bad guys create malware for all sorts of platforms. IT-security reporter David Bisson recently wrote about NyaDrop, an IoT Trojan horse that pinpoints devices running Linux.
It’s sparking innovation.
The good guys are getting creative. IEEE Spectrum reports that researchers in Japan are studying a way to use the small differences in IoT microchips to boost security. These hardware whizzes are looking to identify chips by their unique compositions based on the amount of certain chemicals and other materials used to put them together. Such matter-based fingerprints could be the lynchpin for a system to authenticate IoT-device-embedded software. Said system would prevent malware from making its way into those devices.
It’s generating some good discussions.
Developers are being asked to step up IoT security. Via The Server Side — news for Java developers — software jockey Jason Tee lists tips for IoT creators to curtail Internet-device-targeting malware. His suggestions:
- Decide if it’s really worth the risk to Internet-enable the device.
- Balance ease of configuration with the need for security.
- Learn about the many ways a device can be compromised.
These problems are likely to get worse in the short term. It’ll take time for IoT device-makers to integrate recommendations from Tee and others. Meanwhile, Business Insider predicts that by 2020, the number of IoT devices will rise to 34 billion, up from 10 billion in 2015.
For IT decision-makers, the immediate takeaway is clear: check the credentials on the IoT equipment in your business. If the usernames and passwords are still the default shipped-from-factory versions or temporary easy-to-remember phrases, it’s time.