On Friday, Oct 21, 2016, a massive distributed denial of service (DDoS) attack was targeted against Dyn, a world renowned DNS service provider. The DDoS attack resulted in a widescale service outage for well-known websites such as Twitter, PayPal, Netflix, Reddit, Spotify, Etsy, and Box, from 7:31 a.m to 9:20 a.m EST.
According to CNBC, which sourced from Dyn, the attack was launched via the compromise and takeover of IoT (“Internet of Things”) devices. IoT devices can include hardware such as routers, VoIP phones, DVRs, webcams, and smart TVs to name a few. Shortly after the attack, Dyn stated the identity and purpose of the attacker(s) were unknown. It was reported afterward by several sources that a group of hackers claimed responsibility and that the attack was a test run for a larger planned attack.
Mirai C2 Attack-ware
Behind the sizeable IoT botnet used in this attack, is an open-source tool named “Mirai” (Github: jgamblin/Mirai-Source-Code, it became open-source just one week before Friday’s attack, coincidentally). Mirai is a botnet-creation tool targeting IoT devices. The attack initiated on 10/21 was not the first time Mirai has been used in a major attack phase. One month prior, on Sep 21, the largest DDoS in the history of Internet, at the peak bandwidth of 1T-bps, attacked the Internet service provider OVH, in which 145,000 hacked webcams were used.
To put the attack infrastructure into perspective:
- 213,000 – the number of IoT devices harnessed by hackers using Mirai, as of Oct 1, 2016 
- 493,000 – the number of IoT devices harnessed by hackers using Mirai, on Oct 21, 2016 
- 380,000 – 6% of 6M IoT devices probed had weak Telnet passwords 
- 6.4 billion – the number of anticipated IoT devices (in 2016) 
The tool does not use an advanced vulnerability, but implements the simplest and oldest attack – weak telnet passwords. In May 2016, the IBM X-Force Research team warned of the re-emergence of this attack form in a white paper (https://securityintelligence.com/media/beware-of-older-cyber-attacks/). Mirai has only hard-coded 62 username/password entries as a dictionary to use for a brute force attack, as is shown in the figure below.
It is concerning that the tool is still available on GitHub, with 1000+ forks. It would be easy for the common “script kiddie” to insert or merge the available code for probing/scanning, C2 settings, and payload or attack modules into their own:
Challenges Ahead and Call to Action
As we detailed in our previous research, attackers are leveraging IoT devices to achieve bitcoin mining, ransom, router attacks, webcam hacks, and more. What are some steps we can take to help mitigate future attacks? Brian Krebs offered one tongue-in-cheek suggestion:
It is not realistic to throw away your Internet-connected devices out of fear of an attack. We suggest taking a read of your device manual to learn if your IoT has a factory default password. If so, we absolutely recommend changing the default to help avoid becoming an unwitting victim.
Security as a Culture
We feel security hasn’t been given enough focus. If we are to not be part of the problem, we must be part of the solution and that starts with taking security more seriously. It also involves evaluating and investigating the potential points of attack. Breaches in security occur in a variety of methods, but ultimately the attack occurs at the perimeter of defense. For the general population of consumers, that means Internet cable modems, routers, and gateways.
We recommend taking preventative measures with these devices and using best practices which include but are not limited to the following steps.
Allowing or disallowing HTTPS/HTTP access
Many IoT devices such as cable modems, routers, gateways or other similar devices allow control and access via a web browser. For example, if your Internet access provider supplied your cable modem, there is a default access method supported, and a default password in many cases. Check the settings of the device and enhance security by changing default settings for access.
Change default passwords
The Mirai tool contains a small subset of passwords, but many of these are default manufacturer established passwords for IoT devices. One method of altering the password is to “salt” the password. That means to add a code to either the beginning or the end of the password which increases the level of difficulty for password cracking exponentially. Codes to add can include the use of special characters such as $#%(! and so on.
Some devices communicate on certain ports such as TCP 80, 81, 139 and so on. In the example of Mirai, if you have no need to Telnet to your device, blocking Telnet (TCP port 23) access via your perimeter (modem/router/gateway) would be one effective method to avert this type of penetration and attack.
Some devices support locking out connection attempts that use an incorrect password. Check if your device supports lockouts and if so, maximize the time to lockout an attacker that is attempting to gain access.
- Using a more secure password
- Add port blocking via a firewall
For IT professionals and IoT developers, there are at least 10 tips when allowing IoT devices to connect to a network.
- Conduct a privacy risk assessment of IoT products and services in the design phase.
- Use encrypted storage and TPM-based boot functionality.
- Implement SSL properly and avoid using static credentials.
- Use code obfuscation and tools for app hardening.
- Use strong session management.
Contact NewSky Security to learn more about our IoT security tools, our holistic IoT security solutions, and our IoT pen-test service for enterprise clients. Our mission is to secure all connected devices from IoT device, cloud, and mobile UI intrusion surfaces.
NewSky Security will continue to closely monitor the IoT threatscape for this and other attacks.