In today’s world everything is connected to the internet— printers, routers, video cameras, smart TVs, home appliances and even children’s toys. It’s called “Internet of Things” (IoT)—an emerging network of devices that connect to one another via the Internet, often automatically sending and receiving data.
Recently, IoT devices have been used to create large-scale botnets—networks of devices infected with self-propagating malware—that can execute crippling distributed denial-of-service (DDoS) attacks. IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks.
Malware like this continuously scans the Internet for vulnerable IoT devices, which are then infected and used in botnet attacks. The malware uses a short list of common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices.
What’s worse is that the source code of this kind of malware has been been published on the Internet, so there are ever increasing risks of more botnets being generated.
On Friday, October 21st, such attacks temporarily shut down popular websites like Twitter, Netflix, Spotify, among others. The Obama administration says that it is currently taking steps to counter these types of cyber attacks.
To remove the malware
In order to remove the malware from an infected IoT device, you should take the following actions:
- Disconnect device from the network.
- While disconnected from the network and Internet, perform a reboot. Because the malware exists in dynamic memory, rebooting the device clears the malware
- Ensure that the password for accessing the device has been changed from the default password to a strong password.
- You should reconnect to the network only after rebooting and changing the password. If you reconnect before changing the password, the device could be quickly reinfected with the malware.
In order to prevent a malware infection on an IoT device, you should take following precautions:
- Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
- Update IoT devices with security patches as soon as patches become available.
- Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
- Purchase IoT devices from companies with a reputation for providing secure devices.
- Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
- Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected.
- Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.
- Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.
In partnership with DHS, the National Cyber Security Alliance has released information on Navigating Your Continuously Connected Life which examines our future using Internet of Things (IoT) devices.