Did you know that your latest gadget could be part of an army that is taking down big sites on the Internet? It sounds crazy but it might as well be true. Today I am going to give you a few tips to secure your devices against IoT Botnets like Mirai or The Reaper.
There is no doubt, nowadays everything is an IoT device, from IP cameras to cardiac implants or drones. This trend doesn´t seem to slow down. The world is more connected than ever.
Every new trend in technology has its drawbacks and the Internet of Things isn´t an exception. The manufacturers of IoT devices need to land new products very quickly if they want to be competitive. As a result of this, security is seriously overlooked most of the times…
This leaves us with a perfect environment for IoT Botnets to succeed in their recruitment process.
What is an IoT Botnet?
An IoT Botnet is an army of connected devices that have been infected by a malware. The idea behind the IoT Botnets is to recruit as many IoT devices as possible and use them use them to perform attacks like DDoS.
Examples of IoT Botnets
Mirai is as simple as it is effective. It targets mainly IP cameras and routers that are still using the default password.
Who doesn’t change the default password? Apparently a lot of people…
Mirai infected millions of devices and was responsible for the largest DDoS attack in history. The most noteworthy of the attacks was the one to Dyn. Dyn controls a big percentage of the DNS infrastructure on the internet. The attack took down sites like Netflix, Twitter or CNN for the good part of a day.
It is the latest addition to the IoT Botnets club and far more sophisticated than its older brothers (Mirai, Hajime…).
IoT Reaper is based on Mirai, but there is something that makes it very special. This IoT Botnet uses known vulnerabilities and exploits them to gain access to the device. It has been quite prolific in terms of recruiting new IoT members, however, no attack has been credited to this botnet yet.
Tips to Secure Devices against IoT Botnets
1.Change the Freaking Default Password!
You knew this was coming…
Change the default password if you haven’t. It only takes a few minutes and it is the main cause of unauthorized access.
Mirai was able to pull off the biggest DDoS attack in history just by scanning for IoT devices using the default password.
2. Use a Password Generator
Password policies are rather annoying but necessary these days. SplashData publishes every year a report with the 25 most used passwords, based on different sources, mostly security breaches. The password “123456” has been the most popular one during the last four consecutive years. Creativity is not people’s strength when it comes to setting a password…
When possible, use a password generator.
I know…who the heck is going to remember Gdmn4%9OH35Y9X7…
A password manager can help you keep your passwords secured, organized and readily available when you need them. I use LastPass. There is a premium version but I find the free one to be sufficient for the average user.
3. Conduct a Mini Security Audit
No worries, you don’t need a computer forensics team to pull this off. There are a couple of things that you can do and barely take any time.
Use a service to test the strength of your passwords. There are tons of them on the internet that will do the job. One that you can try is HowSecureIsMyPassword.
Use Shodan to see which services in your network are accessible from the internet. Shodan is an awesome and scary tool that crawls the internet looking for devices whose services are exposed. For example, the following query gives you Raspberry Pi’s accessible from the internet. The potential of the tool is frightening…
If a vulnerability for a given device is revealed, a hacker only has to use Shodan to query for all the devices from that model connected to the internet and exploit the vulnerability.
Use the following request to check for accessible services in your network https://www.shodan.io/host/YOUR_IP.
4. Use a Firewall
Use a firewall to block the access to any device unless it is strictly required to allow it. Pay special attention to IP Cameras, the new ones use the P2P protocol which can bypass the firewall.
5. Access Using a VPN or an SSH Tunnel
It is easier to secure the access if you have only one point of entry instead of 20. If you use a VPN or an SSH tunnel to connect to your IoT devices, you only have to work on keeping that point of entry secured.
Implementing a VPN server at home can be a bit complex but it definitely pays off. Check this tutorial on how to configure a private VPN with Raspberry Pi.
A less advanced solution is to use an SSH tunnel. Chances are that you already have a device connected to the internet that can be accessed using SSH. If that is the case, setting up an SSH tunnel as the point of access takes minutes and it is very simple.
Use Private Key Authentication for SSH whenever possible. It is a simple process and it adds an incredible level of security to your device.
6. Keep your Devices Updated
If debugging is the process of removing software bugs, then programming must be the process of putting them in. (Edsger Dijkstra)
There is no exception for this, every software contains bugs. Those that aren’t deemed as random features do eventually get fixed through updates.
Make sure your IoT gadgets are always up to date with the latest stable firmware.
7. Use Open Source Software whenever Possible.
The tagline of the Smart Home Blog is Open Source Home Automation for everyone so this tip shouldn’t come as a surprise. Open Source Software is great in a number of ways but one of its biggest strengths is security.
The source code is out there for everyone to analyze it. As a result of this, vulnerabilities and “questionable features” are generally discovered earlier.
Thanks for reading the Smart Home Blog. If you liked the post share it please, it will help me a great deal!