How Your IoT Devices Turned Into a Zombie BotNet
A zombie army of internet-connected devices choked web sites from Reddit to Paypal
The flat-lining of many famous websites on Friday started right from your home. Maybe not your home—but someone's. The Distributed Denial of Service attack (also known as a DDoS attack) started at about 7 am ET Friday, in essence turning off the valve to many web sites.
How did that valve get shut down? From Internet of Things (IoT) devices that had been infected with a piece of rogue software, or malware, called Mirai. This is the same code that took down KrebsonSecurity's site last month. The open-source code then appeared on the web, allowing anyone to use Mirai to start their own botnet attack.
In Friday's attack, some of the Mirai infected devices were digital video recorders or DVRs, confirmed security firm Flashpoint. Mirai can also latch onto other IoT devices, "...enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks," says Flashpoint.
When turned on at a specific time—in this case at about 7 am ET on Friday—Mirai instructed these devices to call upon Dyn, an Internet infrastructure company, which sort of operates like an old-fashioned telephone operator. When you type in a web address, Dyn helps to make sure you're connected to the web site you want. Mirai's attacks prevented those requests from going through — and voila: no internet connection.
Rest assured: the internet was (and is) still there. But you're ability to access sites on it? That was a mess. This attack happened, says Dyn, three times on Friday, but by then the company was on to the situation.
"News reports of a third attack wave were verified by Dyn based on our information," says Dyn. "While there was a third attack attempted, we were able to successfully mitigate it without customer impact."
And here's the good part—it can happen quite easily again. Here's the better part: you might be able to do something to help make sure your smart security camera doesn't become a part of that again.
Not plug and play
First, many IoT devices are easy to install right out of the box. We know that—we test dozens here at GearBrain. But that doesn't mean you should just plug in your device, link to the internet and walk away. It's tempting. Life is complicated enough, right? But don't.
To start, never (ever) use a standard default log-in and password for your devices. For any devices. Particularly, though, for IoT devices. Mirai basically swam across the internet searching for devices connected that it could access through a default log-in and password. Once connected, it attached itself into that device like a lamprey to a shark. Devices with customized logins and passwords? Not as easily accessed. The lesson here then is, when you install a new device, create a personal login and password.
Clear the deck
Second, if you suspect your IoT device may have been involved, unplug the product. (Yes, really.) About half a million IoT devices are infected, according to telecom Level 3 Communications.
"The true number of actual bots may be higher based on an incomplete view of the infrastructure," says Level 3 on its blog, as infected devices, or bots, can then create new bots.
While that still may not sound like a lot right now, that means the number of products containing Mirai are growing. So consider unplugging your device at least once a week.
"It's easy to get rid of this, by just turning off the device, turning it back and rebooting the device," says Jerry Irvine, chief information officer of Prescient Solutions in Chicago, Ill. "The bot gets deleted. However because this malware is going out on the internet so much they're suggesting it would be just a minimum number of seconds before it was infected again, especially if you're not changing the user id and password, and adding some level of encryption."
Encryption for IoT devices is tricky as you can't install encryption software directly onto your smart light bulb or speaker. What you can do, however, is make sure you're updating your system software regularly.
If your product doesn't send you a notification to download the latest software (as your computer's operating system likely does), check your product regularly. Go into settings, and see that you have the latest update, or check the manufacturer's web site.
Divide and conquer
Third, tamp down your router by making sure the firewall is engaged, which Irvine says most people can do by having their router "... walk you through the steps," he says Irvine.
Then, consider having your IoT devices, and your computers, on separate connections to the internet, Irvine adds. This would be two separate Wi-Fi links, segmenting the way you have one set of products get online from your PC or Mac. 'But that's a really technical thing and the average person won't be able to do it," Irvine says.
That doesn't mean giving up, though. Sure, you may not mind not reaching Etsy, Paypal and Reddit for a day. But homes that had these botnets running also experienced a slow-down on their Internet connections. Not only could you not reach your playlist on Spotify—you also might not have been able to get email, or access your bank accounts either.
So the next time you get that spinning wheel on Netflix, you'll know something might be going on with more than just your connection. Before that happens, take a few steps.
"Change your passwords, seriously, that's the biggest thing," says Irvine. "And minimally reboot the device at least once a week to give yourself a fighting chance."