Botnets, Mirai and the unsecured IoT

There’s been a lot of news recently about the security of Internet of Things (IoT) devices and the lack of default security which is built into these devices.   IoT devices is the next big topic of the connected world, these devices can range from a Kettle, to a door bell, to CCTV, TVs thousands of other connected devices.

The problem comes when manufacturers ship these devices with weak security as default, shipping devices with username and passwords that aren’t changed or updated as soon as they are turned on, or having the firmware look for updates on regular intervals.  This allows malicious attackers to launch a brute force attack on the devices so that they can remotely log into the machines and do whatever they like.  Such as launching attacks on anyone on the Internet.

Below is a list of the most popular passwords that are used on some of these devices:

Mirai most used passwords

Two of the most recent attacks this year are KrebsOnSecurity, a popular website on information security and Dyn, a managed DNS provider.  These attacks were performed by a Distributed Denial of Service attack of DDOS attack which tries to overwhelm a service such as a website as was the case in the following examples.

An interactive website is available which shows you the type of attacks that are happening on a regular basis, this can be found at:

Back in September, the KrebsOnSecurity website who is ran by Brian Krebs, an information security researcher who helps to keep people up to date on all things IT security related was targeted by a malicious cyber-attack.  This attack was such that 620Gbps of traffic was being sent to Kreb’s website in order to try and knock it offline.

Dyn, an Internet based company who offers managed DNS solutions to help people communicate over the network and have reliable communication was targeted by the same type of attack that Kreb’s had.  However, this time the attack was much larger, some saying that over 100k IoT devices took part in this attack and that it was over 1Tbps in size

What is a Botnet?

Now that we know that the IoT devices can be inherently insecure from the day you buy them, how are they able to connect to these remote devices and knock them offline?

A botnet is a collection of Internet enabled devices that act out the instructions of the malicious attacker, without the knowledge of the devices’ owner.  The device can be infected either by the user clicking on a malicious webpage and installing an application which takes over their machine, or through the use of weak credentials as mentioned above.


When a device is compromised either by malware being installed on the machine, or the login compromised, the malicious program will then start to initiate its takeover and install itself as a kernel device driver, or something else which has a way to remain on the system.

The infection process happens in a number of stages and can be shown in the below diagram.

botnet-infectionCommand and Control

Once the device has been under control of the malicious attacker, the device will wait for further commands from the C2 (also known as C&C, Command and Control) system, which is usually done over IRC communications.  At times the device will send back a “Hello, I’m here” ping to let the C2 server know who is connected to the botnet.

Once communication has been established, the controlled device is then told what to do, this is usually the case of being part of a DDoS attack against an unsuspecting company.

How do we protect ourselves?

Unfortunately, there is no real silver bullet to surviving a botnet, the most important thing to do is ensuring that manufactures ensure that their IoT devices are kept up to date and that any administrative passwords are changed as soon as the device is powered on.

Ensuring that your devices have anti-virus and malware protection enabled and up to date will help ensure that there is no unwanted software installed on your devices.

If your business utilises FTP, telnet and SSH, these should all be put at the edge of the network, inside a DMZ, to ensure that any compromised is reduced and doesn’t spread any further.

Ensuring that you monitor what egress rules are in place for your network, allow only what you need to allow for work duties, although the majority of times this is unrealistic in most businesses.

It is usually the case that you need to have more bandwidth available than the attackers are using, so that you can absorb the additional load. Companies such as Akamai, Dyn, Neustar to name a few have DDoS mitigation packages available for purchase.

It was found that a Chinese manufacture of CCTV devices, which were found to be part of the Mirai have actually started to recall their devices to make sure that they are updated with more security.  More information can be found here:

Hope you enjoyed this post.

Previous Post
The IASME Standard and SMEs
Next Post
GDPR: Glossary of terms

Related Posts

No results found.

Leave a Reply

Your email address will not be published.

Fill out this field
Fill out this field
Please enter a valid email address.

1 + 6 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.