Cyber criminals are exploiting vulnerabilities on Internet of Things (IoT) devices in an increasing number of distributed denial of service (DDoS) attacks. In a recent DDoS attack, remotely controlled IoT devices believed to be infected with Mirai malware were used as part of a botnet to take down a domain name system (DNS) company. This attack affected many organizations indirectly by making their websites or services inaccessible to their customers. The attack involved routers, digital video recorders, webcams, and internet-enabled cameras that were infected by the Mirai malware.
To avoid being a victim of future attacks, organizations need to verify how IoT devices are implemented and kept secure.
Here are our top five security recommendations for your IoT devices:
- Change the default credentials of IoT devices. The Mirai botnet malware used in the IoT DDoS attacks scans the internet for IoT devices that accept telnet connections. Devices with weak or default credentials are vulnerable to compromise. IoT devices should be secured with strong authentication to avoid brute force attacks.
- Disable universal plug and play (UPnP) on gateway routers. UPnP allows ports inside a network to be opened easily. Using UPnP, external computers are able to communicate to devices inside the network. To prevent this, you should disable UPnP on gateway routers. Some applications may be affected by disabling UPnP, so reconfiguration could be necessary.
- Update IoT devices frequently. Update IoT devices with the latest firmware and patches as soon as possible to ensure that the known vulnerabilities are addressed.
- Ensure proper firewall configuration and identify malicious traffic. Configure the firewall to block incoming User Datagram Protocol (UDP) packets because they are used to exploit IoT devices. IoT DDoS attacks in October 2016 targeted the following three ports: 23 (telnet), 2323 (IoT telnet), and 103 (Mirai backdoor). In addition, IoT devices that have already been infected by the Mirai malware are known to spread the infection through port 48101. Those ports should be closed if they are not used for business purposes.
- Review reliance on easily identified internet connections. Examine your level of reliance on public-facing web servers that are easy to identify externally and that are used for critical operations. It is important to review incident response procedures as well so that operations are not halted due to a cyberattack. In addition, IoT devices that are on public-facing servers should be secured to prevent unauthorized access.
If you believe one of your IoT devices may be compromised, take the device offline, reboot it, add strong authentication, and put it back online. The malware resides in dynamic memory and is removed after the reboot. However, if the IoT device is brought back online before adding strong authentication, the malware likely will reinfect the device.