McAfee Labs released the results of a honeypot experiment in which a Mirai botnet is capable of detecting and compromising a poorly secured IoT device in under a minute.
The experiment – released as part of the McAfee Labs Threat Report: April 2017 [pdf] – highlighted the ease the Mirai botnet could be used to gain access to an IoT device.
A video of the experiment showed that a digital version of a vulnerable IoT device hosted at a random data hosting provider was being hit with traffic from an IP in Vietnam within 29 seconds of it going live.
After 49 seconds, a Mirai botnet derivative attempted its first brute force attempt on the virtual device, using a list of common default credentials contained within the botnet’s code.
Finally, the honeypot detects and alerts that code is being executed on the IoT device after only 59 seconds.
According to the McAfee Labs report, derivatives of the original Mirai botnet have increased in proliferation since the release of the source code on October 1 last year, but “most appear to be driven by script kiddies and are relatively limited in their impact.”
The source code release has also led to offerings of ‘botnet-as-a-service’, providing hackers another way to monetise their efforts.
McAfee Labs uncovered a forum post on Alpha Bay on October 4 offering Mirai botnet services from US$50 to US$9,500, and another post on December 25 offering Mirai rentals for US$30 a day.
McAfee Labs is concerned that Mirai’s source code release will “facilitate new Mirai variants with more advanced features” and “serve as a backbone for complexly new IoT device malware.”
Furthermore, the security company worries that consumers will feel they’re immune to Mirai simply by changing the default passwords on their devices, saying “IoT security problems will not disappear by simply changing default passwords.”
Securing IoT devices
The report highlights a number of policies and procedure for securing IoT devices, which include:
- Research the IoT device’s security track record: “By doing some research, you many find some companies ignore their product’s security concerns, while others are more proactive.”
- Keep all IoT device software up to date: “This simple best practice can often remove vulnerabilities, especially those recently discovered and publicly highlighted.”
- Segment IoT devices from other parts of the network using a firewall or intrusion prevention system: “Disable unnecessary services or ports on these systems to reduce exposure to possible entry points of infection.”
- Change defaults and use strong passwords: “Adopt good password habits, such as using long phrases, special characters, mixed cases, and digits.”
- Restrict physical access to IoT devices: “Direct device tampering can also lead to IoT device hacks.”
- Disable Universal Plug and Play (UPnP) support: “Many IoT devices support UPnP, which makes the device discoverable on the internet and vulnerable to malware infections.”
- Power-cycle IoT devices periodically: “Malware is commonly stored in volatile memory and can be erased by shutting off and restarting the device.”
McAfee Labs also encourages security companies to collaborate together and perform threat intelligence sharing in the areas of event triage and prioritisation, establishing relationships between indicators of compromise, and improving sharing models between vendors.
Intel Security’s APAC vice president Daryush Ashjari said in a statement: “Threat intelligence sharing is a key pillar of our strategy at McAfee as we believe that only by coming together to share intelligence across vendor solutions and portfolios can our industry learn more about experiences and increase our power against attackers.”