The Internet of Thingbots

By   Brian A. McHenry
, F5 | Oct 25, 2017 04:00 am PST

If you follow technology news, then it’s almost impossible to avoid some mention of “the Internet of Things” or IoT, for short. With the proliferation of smart home devices ranging from lighting to garage door openers to thermostats to cameras and the use of other smart devices in enterprises, the challenges and growth in IoT can be very difficult to pin down.

Usually, when conjuring an image of a botnet poised to mount a massively distributed Denial-of-Service (DDoS) attack, the thought of a small army malware- and virus-infected PC’s and servers controlled by some shadowy, anonymized command and control (C&C) server comes to mind. However, the largest botnets and associated DDoS attacks recently have not been sourced from compromised laptops, servers, and smartphones. Attackers have found that it’s much easier to compromise a vulnerable IoT device than to trick a user into clicking a malicious link or download malware-infected file.

The Mirai and subsequent Persirai botnets were comprised almost completely of compromised IoT devices which used the popular embedded-Linux distribution, BusyBox. These botnets were built via self-replicating (worm-like) malware which, once infected, scanned the Internet for other vulnerable hosts. These botnets were not built overnight, as data shows the scans increasing over time with no attacks immediately thereafter. This infection pattern has the result of keeping the IP addresses of the infected IoT devices or Thingbots off many ISP and threat feed blacklists.

Other vigilante Thingbots have also surfaced, such as Hajime, which seeks to inoculate IoT devices using default administrator usernames and passwords. These botnets are built in the same way, but the vigilante attacker merely changes the username and password and leaves a note behind. These activities, while helpful, still do damage by locking legitimate users out of their own devices.

Patching these devices is often difficult, if not impossible, if the IoT device manufacturer is not actively maintaining the firmware. While a server or laptop running a popular operating system is easily updated, these potential Thingbots have tightly-controlled update mechanisms (if any, at all). Attempting to independently update the embedded-Linux BusyBox could easily result in bricking the IoT device, as the dependencies between hardware and software are often quite brittle.

To prevent IoT devices in your network (at home or in the enterprise) from becoming another Thingbot, follow a few simple steps.

  • Know what’s on your network. Maintain an asset inventory.
  • Seek reputable IoT vendors (e.g. avoid bargain bin Internet-connected security cameras.)
  • Disable UPnP in home office routers.
  • Avoid the use of port-forwarding or any-any firewall ACL’s.
  • Of course, never use default username/password combinations.

A few pro tips strictly for those in the enterprise:

  • Monitor outbound traffic, highlighting any traffic sourced from IoT devices.
  • Know the firmware levels in the asset inventory.
  • Enable 2-factor authentication in addition to privileged user access controls.
  • Use advanced WiFi security protocols to authenticate endpoints, where possible.
  • Demand better security features and defaults from IoT vendors who market solutions to the enterprise.

With DDoS attacks escalating in an ongoing effort by attackers to overwhelm the infrastructure of enterprises and service providers alike, it is imperative that we all do our best to secure all the would-be Thingbots in the networks we maintain. A safer Internet is everyone’s responsibility, and password maintenance tops the list of things we can all easily do to further that goal.