The recent spate of Mirai botnet attacks has brought into sharp focus the vulnerability of many connected home devices. One example of which is the massive DDoS attacks on Internet service company Dyn, which brought down popular websites such as Netflix, Twitter, and the BBC. In total, Mirai infected more than 1.5 million devices.
With this in mind, at CES 2017, we announced the first ever IoT security solution to protect home networks from Mirai-like botnet attacks. Our solution protects by identifying vulnerable devices and also possible compromised devices
Identifying Key Vulnerabilities
Research indicates two things. Firstly, Mirai scans the networks for devices with open telnet ports and then try combinations of usernames and passwords to gain access to these devices. Secondly, that the devices successfully attacked by Mirai were the ones with open Telnet ports with weak Telnet credentials.
Weak passwords are an issue for any kind of port, but especially so for Telnet ports. Telnet is a network protocol used on the Internet or local area networks to provide a bidirectional interactive text interface to remote computers. Telnet is a very old protocol that’s not safe as, by default, it’s not encrypted. This can be mitigated somewhat by having a unique username and strong password, but many manufacturers hardwire trivial Telnet credentials on their devices with no way for the average end user to change it. To make things worse, those credentials are often publicly available on the Internet. When you then configure or set up a remote host (Camera/DVR/computer), the usernames and passwords are in plain text, making them even an easy target for hackers to intercept or crack.
Once access is granted, Mirai then seeds the IoT device with malicious software and turns it into a bot. Once they have access via Telnet, attackers can gain complete control of these devices and easily inject malicious software into them. In the network security world, this is also known as gaining root (superuser) access. These bots are then used to conduct DDoS attacks on different internet infrastructures to bring them down. You can reset the device to get rid of the malware software, but your devices will quickly get infected again.
UPnP and Port Forwarding
Mirai attacks the Telnet port, but there are other kinds of botnets/malware which are designed to attack other open ports. A commonly used service called UPnP also offers a potential backdoor into your IoT device. UPnP is a service that automatically forwards ports on your router. UPnP is used by many devices, like gaming consoles, for example, to connect to gaming servers. Hackers or unauthorized users can use open ports which are forwarded by UPnP to gain control of some devices.
In addition, the risk doesn’t necessarily come from the internet. It can come from an infected device with your network like a USB device connected to a computer on your network.
Understanding Further the Relationship Between Botnets and Open Ports
Based on the above information we set out to see if we could more definitively prove that relationship and also understand more about how Mirai and other Botnets attack. To do so, we analyzed Mirai’s source code and also simulated a botnet attack to test our results. We set up a number of devices to have Telnet port open and UPnP with varying strengths of passwords and found that our simulated Mirai attack infected these devices.
We decided that the most holistic way to protect your network and devices was to have a solution that could both identify vulnerabilities and also signs of infection in your IoT devices – and then provide you with the tools to block or quarantine them. In the former case, our solution scans devices in your network for open ports, checks whether the UPnP service or port forwarding is active, and tests for any weak Telnet and local web server usernames and passwords. In the latter case, it scans your devices for unusual communications — a tell-tale sign they are already compromised.
We decided to scan and then sort based on these vulnerability classes:
- Known open ports (Ports 0 to 1024)
- Devices using UPnP service (Ports 1024 to 65536)
- Port forwarding enabled on the router(Ports 0 to 65536)
- Telnet port open with weak credentials.
- Device using UPnP on known ports (Ports 0 to 1024)
- Local web servers with weak credentials.
Some vulnerabilities would require immediate attention, like changing passwords, upgrading firmware, or contacting the device vendor. While other vulnerabilities may require switching off UPnP or port forwarding in your Almond router.
To test now our solution we bought an exhaustive range of devices including some of the devices which the Mirai botnet had affected – Amazingly, these devices are still available for sale! Our scans were able to identify all the previously documented problems which led to the devices getting infected. For example, the Dahua IP cameras and DVRs had open Telnet ports and were using usernames and passwords which were documented on the internet.
We also checked port 80 (HTTP, ie. a web server) for weak usernames and passwords and found that the devices under test were again using passwords which were documented online. To make matters worse, some of the devices were using UPnP on port 80, meaning anyone could try and access the device’s web server to modify or alter the device settings. In this case, the only way to remedy the problem is through a firmware update, which can only be done by the device manufacturer.
The following pictures and screenshots highlight the scan states and the vulnerabilities we identified in devices:
Finally, we expanded our testing to take into account the complexities of different manufacturer implementations, both in terms of their firmware compared to each other and across different devices. We enabled different UPnP and port forwarding scenarios s to test our scanning solution. In each case, our scan was able to detect the vulnerabilities set up in the test scenario.
Almond’s scanning solution was able to detect a range of weaknesses beyond Mirai; weaknesses that made these devices also vulnerable to other botnets or malware which might use simple scripts to guess the administrative credentials for the web server.
Detecting compromised IoT devices
The second part of our solution protects your network and your devices by listening for abnormal behavior. Popular IoT devices such as Philips Hue bulbs, Nest thermostats, or baby monitors connect with their cloud services and allow users to control them via a mobile app. They are not vulnerable to Telnet, but there is still the possibly that they get hacked in a different way. Since Almond is both a hub and a router, it’s capable of monitoring the traffic pattern originating from these devices and decide whether they are behaving suspiciously. Even metadata such as the number of pings a Nest thermostat sends to Nest servers can reveal valuable information about the behavior of these devices. Using feedback from our platform, we have been able to create a database that defines normal outbound traffic for the most popular IoT devices. We then use machine learning to identify any abnormal behaviour from these devices.
But to test this feature, we had to simulate the traffic patterns of these devices. We emulated the MAC addresses of the IoT devices on a test PC and started sending packet headers mimicking their normal behavior. Then, in order to test whether Almond is able to detect abnormalities in the outbound traffic, we added malicious requests from the simulator in between the normal packets. In all cases, the malicious requests were immediately caught and an alert was sent to the Almond app. The same test was performed for a list of key devices.
IoT security for home networks is a huge platform exasperated by the number of devices in the market where even the simplest security has been ignored. Almond’s IoT security solution puts a stop to this by detecting the causes of why these devices are easily infected. It also provides another dimension of protection by identifying abnormal behavior on a range of popular IoT devices.
One Month Free Trial
IoT security and the web history recording are part of subscription services from Securifi available in Almond 3 from 23rd January 2017 at $3.99/month. Subsequently, the service will be rolled out for Almond 2012, Almond 2015 and Almond+ from 28th February 2017. As an introductory offer, the services will be free for 1 month.
Get an Almond 3
The award-winning Almond 3, is a mesh router and smart hub combined in one. With Almond 3 you can blanket your home with seamless WiFi, connect up all your smart devices, and then control them with voice, buttons or an app.
Already the smartest router on the planet, it is now the most secure consumer router as well. It is the only consumer router capable of protecting your home network against Mirai botnet malware. Learn more.