Hu Yoshida

IoT Security Exposures: Mirai is now.

Blog Post created by Hu Yoshida on Jan 9, 2017



The Kanji Mi means not yet, and Rai means become. In English this would be translated as “The Future”. Mirai has become all too familiar as the name of a Botnet attack that caused internet outages in the US, UK and Germany over the last few months of 2016 through the infection of IoT devices. In November nearly a million customers in Germany were affected by internet outages in a coordinated cyberattack through home routers given to them by their internet providers.


The First Major IoT security attack occurred on October 21, 2016, according to Wikipedia, and involved multiple denial-of-service attacks (DoS attacks) targeting systems operated by Domain Name System (DNS) provider Dyn which made major Internet platforms and services unavailable to large numbers of users in Europe and North America. Dyn provides the service of mapping an Internet domain name to its corresponding IP address.  The distributed denial-of-service (DDoS) attack was accomplished through a large number of DNS lookup requests from some 500 million IP addresses. The activities are believed to have been executed through Mirai,a botnet consisting of a large number of Internet-connected devices—such as printers, IP cameras, residential routers, and baby monitors that had been infected with the Mirai malware. It affected over 75 web services from Airbnb to Zillow. With an estimated load of 1.2 terabits per second, the attack is, according to experts, the largest DDoS on record. According to Dyn, there were three waves of DDoS attacks beginning at 7:00 a.m. EDT, again at 11:52 a.m., and again at 4:00pm. Each attack was resolved within 2 to 3 hours when internet users began reporting difficulties accessing websites. The slide below comes from a webex from Sophos

Mirai attack.png


Botnets can infiltrate networks through different routes like email attachments, compromised websites, or USB devices, but IoT devices may offer the easiest way to infiltrate networks since there is little management applied to consumer internet ready devices. IoT devices come with standard passwords for setup which are rarely changed such as “admin 12345”. Many have back doors for customer support, and very few have an active program for installing patches and updates. Once a botnet is inside a device it can call home to the cybercriminal to get further instructions, troll the network for other vulnerable devices, steal data, hold data for ransom, or launch a full scale attack such as the Mirai DDOS. Fortunately, these attacks up to now have been passive or DDOS attacks. A much greater danger would be if they could actively impact critical infrastructure like transportation or power grids through IoT sensors.


The cybercriminal can benefit in a number of ways. He can collect a number of botnets and rent them out to whoever wants to use them, providing BOTaaS, Botnet as a service, for as little as $200 to $300 per 1000 computers according to PC World. This has led to cyber extortion where bad actors have threatened DDOS attacks on large enterprises like gaming sites, or ransom attacks on small businesses where they have managed to encrypt files and demand money for the encryption key for less than $1000 which usually is considered a misdemeanor and seems to be the threshold where victims find it easier to pay. Another contributor to these kinds of activities is the availability of Bitcoin where payments cannot be traced.


Because of HIPPA requirements for patient data, many small medical offices and clinics have been subject to ransomware. Ransomware can be thwarted if you have a backup copy that is up to date. Hitachi’s HCP object store automatically replicates every files that is ingested. Recently HIPPA has required the costly notification of patients in the case of ransomware attacks if the patient data was exposed during the ransom capture. Since HCP also encrypts the data on ingestion, this would not be a problem if the data is stored on HCP.  PCI DSS has similar requirements for credit card data, which is being addressed with Tokenization. Tokenization substitutes a randomized number token for the credit card number.


Prevention against these attacks are robust firewall protection that can detect patterns such as “call home” activity that is not to an authorized vendor and end point security systems which installs client software that authenticates logins from the endpoints and updates the device software when needed. Everyone now has several IoT devices in the home from routers for home networks to internet enabled TV and printers. The first thing you need to do is change the password on a regular basis and update the firmware. You can restrict IoT devices to cloud based devices which have security maintained by the cloud vendor. (hopefully)


According to Wikipedia, "The Internet of Things (IoT) is the inclusion of electronics and software in any device not usually considered computerized in nature, to enable it to achieve greater value and service by giving it an ability to network and communicate with other devices. Each item is uniquely identifiable through its embedded computing device but is able to interoperate within the existing Internet infrastructure." The IoT ability to network and communicate opens up vast opportunities to make this world a better place, but it also opens up a lot of new vulnerabilities. Unfortunately this is Mirai.