Is my DVR being used in a cyber attack?

At approximately 7:00 a.m. ET on October 21, popular websites on the east coast appeared to go down, propelling a new type of distributed denial of service (DDoS) attack into the public spotlight. The malware involved in this incident, named Mirai leveraged Internet of Things (IoT) devices, such as DVRs and IP cameras, to form botnets. These botnets were used to target and disrupt core Internet services from domain name system (DNS) provider Dyn. As a malware strain, Mirai was already well known. A month prior, it was used to target security researcher Brian Krebs with a DDoS attacks five times larger than any previously seen.

As society moves toward smarter homes with dozens of connected devices, manufacturers and end users must consider the security implications of the devices they produce and use. While manufacturers maintain control over device operating systems and services, consumers can take action toward reducing the likelihood that their IoT devices will be used in these kinds of attacks in the future.

So, what actions can IoT device owners take now, to protect their devices from being hijacked by malware like Mirai? In this post, we detail basic security hygiene for IoT devices. Some actions are simple, like changing default passwords; others, such as shaping network traffic, require a higher level of technical proficiency.

Practical Protection

Consumers interested in protecting themselves can take actions that fall into two basic categories: protect the device or limit the damage an infected device can cause. For example, changing the username and password needed to access these devices can help prevent infection. The Mirai malware that was used in the October 21 attack on Dyn used a list of 62 username/password combinations to gain access to the devices in its botnet. Ideally, users should create a completely new username with an uncommon password and delete the default credentials, but simply changing the password can help prevent an infection.

To limit the damage caused by malware infections, consumers can control the traffic leaving their home network. Botnet malware sometimes use a technique called DNS reflection or DNS amplification to increase the amount of traffic generated. This technique spoofs the source IP address of traffic coming from infected devices. Protect against this type of attack simply by blocking all outbound traffic from your network that isn’t sourced from IP addresses of your devices.

Hardening devices and networks

Device hardening is a common security strategy that helps the device operate as intended and provide only those services needed by the end user. To properly harden a device, you should first determine what services and capabilities this device provides, and which of those services and capabilities you intend to use. Services that won’t be used should be disabled. Services that are being used should leverage the appropriate security controls. Here are a few items to consider:

  • Does the device use default credentials? If so, they should be changed to a unique set of credentials that is sufficiently complex. There are online tools available to help check the strength of your password. It is important to note that there may be more than one method to access a device, each with its own credentials—­you’ll need to change all of them.
  • Does the device support two-factor authentication? If so, use it.
  • Are there unused services on the device that can be shut down?
  • Can a firewall be used to block access to the ports corresponding to an unused service? For example, Mirai spreads via telnet and SSH, so disabling these services or blocking the ports via a firewall prevents infection.
  • Do you have devices set to automatically receive and install patches? Can you disable unencrypted access (e.g. require HTTPS vs. HTTP)?

Check user guides and manuals for routers and any devices on the network to find out how to perform these actions.

Device and network isolation

When evaluating a device’s functionality, it’s important to consider whether or not a device needs access to the internet. There are two reasons a device might need internet access: to allow the user to remotely access the device or so the device can access a cloud service. If internet access is needed only for remote access, try limiting access using a VPN, jump box, or other technique. If the device needs access to a cloud service, try limiting access to that specific service. Outbound filtering is one way you can limit which services the device can access.

Additionally, consider what systems your IoT devices need to be connected to. If IoT devices do not need to be on the same network as computers and mobile devices, setup a different subnet for them or even isolate them via micro-segmentation. Isolating devices can limit infections from spreading on your network. It also allows for filtering and traffic shaping on networks instead of individual devices, and allows for monitoring tailored to each network segment.

Rate limiting and traffic shaping

Limiting the rate of traffic flowing out of a device can be a very effective technique in preventing DDoS attacks. For example, a high-definition quality IP security camera may only need 500 Kbps to stream live video. An infected IP camera under the control of a botnet will often generate considerably more traffic. The most conservative estimates put the bandwidth used by a device infected by Mirai at 1 Mbps, with the largest estimates come in at 12 Mbps. Traffic shaping can be very effective for IoT devices, allowing short periods of high bandwidth use, but keeping the average low.

Outbound filtering

Is your device sending types of traffic that it shouldn’t? Mirai is capable of sending many different types of traffic, including some, such as GRE and Valve Source Engine queries, that are unlikely to be coming from an IoT device. Outbound Packet filtering for non-valid ports and protocols, in addition to the source address filtering mentioned earlier, could easily stop this type of traffic. Almost all firewalls, including those built into home routers, can perform this type of outbound filtering.

Monitoring

Monitoring for anomalous activity on a network can detect infections, and once you know that a device is infected, you can clean and secure the device. Some routers support intrusion detection and prevention, making this sort of monitoring fairly pain free. In addition to network monitoring, it is important to monitor logs on IoT devices, which might show failed login attempts indicating that the device was attacked. Many devices allow email configuration so that the device can alert you to various events, like failed logins, allowing you to take quick action in the event of an attack.

Tools

A good router is invaluable in implementing these security controls. If your router doesn’t support the required features, third party packages such as dd-wrt and OpenWrt can be installed on many routers. Other options include purchasing a unified threat manager (UTM), or building a system using Linux, VyOS, or other open source software.

Looking Forward

Attacks like Mirai are likely the first in a wave of new, IoT-centric security challenges. Recognizing that IoT device manufacturers and service providers play a critical role in building security into these devices, end users can take action now to protect their devices. The techniques outlined will provide defenses against current IoT malware, but malware and security challenges are always evolving. These challenges require IoT developers, service providers, and security professionals to look toward the future of technology for new security paradigms.

What can we do going forward to solve this problem at scale? Can some of the techniques discussed be automated? Should IoT management and security be provided as a service? Do we need to completely change how we think of security when scaling to 20 billion devices? The NCCoE is looking for feedback and collaborators to help answer these questions as we assist the private sector in addressing these IoT security challenges.