The Mirai botnet’s massive DDoS attacks are still firmly lodged in the memory IoT manufacturers. But fear is already growing over the next one to hit. IoT Reaper – recently discovered by researchers at Netlab 360 and Check Point research firms – is based on the Mirai botnet code. It is estimated to have infected 28,000 devices and and another 2 million are vulnerable to attack. Although the botnet seems to be smaller and less dangerous than first estimated, both enterprises and device manufacturers should think about their strategies to fight threats. One thing is for sure: This one won’t be the last one.
What is an IoT botnet?
IoT Botnets use Internet connected devices which have been infected by the same malware and are controlled by a threat actor from a remote location. IoT Reaper is similar – It is infecting devices with malware effectively hijacking the device for whenever the botnet controller is ready to issue their commands.
How does IoT Reaper exploit?
IoT Reaper targets nine specific firmware vulnerabilities affecting home routers, cameras and video recorders made by Linksys, D-Link, VACRON, NUUO, NETGEAR, AVTECH, Maginon, Avacom, and others. A few days after it was discovered, another exploit against D-Link devices was added.
The malware is still being revised and updated, and new vulnerabilities could be added any time. Patches are available for most of these vulnerabilities but unfortunately, many consumers or enterprises never take the necessary steps to patch IoT devices.
What can device owners do?
- Username/password combinations: Even if that is not the primary target of this botnet, it is being used by many others. Don’t use default username/password combinations and get rid of simple passwords that can be cracked.
- Does your device need to be on the internet: Even in an always-on generation, it makes sense to ask this question. IT departments often just plug devices into a Web server to reduce the hassle of connecting two devices to each other. Not always the best option if sensitive data is involved. Check out Shodan.io to determine if your device is visible on the internet.
- Track and patch: It is the nature of the beast – software has bugs. And most vendors consistently release patches to counter vulnerabilities. Update your firmware as soon as a patch is released. IoT firmware also contains a fairly large percentage of Open Source Software – more than you think. Always insist on a Bill of Materials from device manufacturers so you know what’s in the products you buy.
And how can software or device suppliers help?
Most devices remain unpatched because users don’t know that an update is available. And only a small group of end users – consumers and enterprises alike – go through the effort of checking for available software/ firmware updates frequently enough.
Suppliers that know which customers are using which software version on which device, can utilize their software monetization back office to notify users of vulnerable devices immediately. It is also possible to connect devices to a software/firmware update solution so that devices can request new updates automatically when they are connected.
Patch all vulnerable software
Ultimately, the Reaper and other botnets use security holes available to infect devices. Open Source security vulnerabilities in IoT firmware is another easy target. Device manufacturers should consistently track Open Source usage in their firmware. And have a process and tools in place that will alert them of high risk vulnerabilities in Open Source software or 3rd party components used. Close the risk window as soon as possible to keep your devices and customers out of trouble.