Internet of Things
Internet of Things security has gotten completely out of hand, but how do we stop the Mirai botnet? One expert suggests blocking TCP Port 23iStock

On 21 October, multiple popular websites were taken offline for several hours by a giant distributed denial of service (DDoS) attack on the internet. DDoSing the entire internet, rather than individual sites, is unusual – but what is even stranger was the method by which it was done. Someone had created a giant botnet, Mirai, made from millions of hacked Internet of Things (IoT) smart devices like web-enabled cameras and routers to unleash chaos.

"Those of us that operate as DDoS subject matter experts have warned time and time again for years that these attacks were a complete reality. Yet few, if anyone, listened. If all IoT manufacturers [had] listened to industry experts, and added even the basic security measures into their technology, IoT botnets would not have become a reality," Stephen Gates, chief research intelligence analyst at enterprise network security firm Nsfocus, told IBTimes UK.

The reason that we now have the Mirai botnet, explains Vectra Networks CSO Gunter Ollmann, is because vendors decided to make new internet-enabled devices like smart watches, or to add internet capabilities to traditional appliances like kettles and toasters, but failed to secure the products before selling them to consumers.

Mirai happened because manufacturers didn't think about security

"A lot of the IoT technologies being rolled out that people buy, get excited about and establish market presence for, don't have security by design. The manufacturers are trying to save money and reduce the time to market, and only after the product has been proven to be popular do they go back and add security to it," he said.

Some smart devices ship with default passwords that are easily hacked unless the user changes it, while some manufacturers ship with passwords that cannot be changed at all. The problem with this is that if it cannot be changed, it can easily be hacked, so there is no way to fix the hijacked zombie devices in Mirai, unless vendors recall every single product and smart sensor in the wild, a near-impossible challenge. Chinese manufacturer Xiongmai, whose webcams were linked to the botnet that managed to take Twitter and multiple high-profile websites offline, has been recalling its devices.

"I am really annoyed because it's the stupidest trick in the book, what they're doing. The DDoS attack is really weakening the infrastructure of the internet for no reason. A DDoS attack is clogging a pipe with water, it's not sophisticated. It's sad that a bunch of script kiddies can take down the internet for millions of people just because of those insecure devices," GoSecure's head of cybersecurity research Olivier Bilodeau told IBTimes UK.

It's clear that from now on, product vendors will have to ship devices with unique passwords, or require consumers to change the password to something that cannot easily be hacked – but what do we do about all the existing smart sensors all over the world, primed to be hijacked and used to cause mayhem?

Why not block TCP Port 23 to stop zombie IoT devices?

"For current devices, internet service providers (ISPs) should block Telnet Port 23 globally, as they did with SMTP (Port 25) – a simple protocol for sending emails. This was done a few years ago because of the spam problem. they realised they couldn't trust consumers to run mail servers at home because they were misconfigured or just openly configured, so over 90% of ISPs just decided to block it," Bilodeau explained.

bitcoin blackmail btcc ddos attack
iStock

"IoT malware is misunderstood, people think it is more complicated than it is. No one is saying, just block port 23. I really think we have a good way to get rid of the major problem and I don't think the support cost for ISPs would increase. The benefits outweigh the potential problems. People complained when they first started blocking port 25 for email, but now they know how to route the ports properly for their email."

Sean Newman, the director of product management at Corero Network Security, agrees ISPs need to get involved, but he is cautious that blocking TCP Port 23 might have unwanted consequences to internet users.

"It might appear that one solution to the problem is for service providers to simply block all internet traffic using the Telnet protocol [on TCP Port 23] to avoid devices becoming compromised in the first place, but the challenge is that the many legitimate users of Telnet across the Internet will also be impacted, and distinguishing legitimate Telnet activity from nefarious activity is not a simple problem to solve," he told IBTimes UK.

"ISPs do need to take the lead here though – in the past they have taken an agnostic stance and reverted to their primary role of just moving traffic. This approach is no longer acceptable, as the technology now exists to mitigate the scaled DDoS attacks that we are seeing from IoT– there just needs to be greater urgency in increasing the scale of the mitigation capacity and the use of the latest in-line, real-time, automated tools."

Regulators need to step in to fix this mess

Gates is also not keen on simply blocking Port 23: "If ISPs were to block TCP port 23, that would be an unprecedented manoeuvre on a global scale. ISPs for decades have stayed away from trying to become the Internet police. If they did, who knows what the results would eventually be.

"Also, blocking one port on the Internet will not stop the problem. Many of the vulnerable IoT devices also run very weak web interfaces with TCP port 80 exposed. Many of the web interfaces are rife with known and unknown vulnerabilities. Do we expect the ISPs to begin blocking TCP port 80 next? If so, it will be the end of the Internet as we know it."

IBTimes UK contacted several ISPs in the UK and the US. BT, Sky and Virgin Media refused to comment on the issue, while other service providers did not respond at all.

IBTimes UK contacted several ISPs in the UK and the US. BT, Sky and Virgin Media refused to comment on the issue, while other service providers did not respond at all.

"The problem of IoT devices becoming compromised and used for malicious cyber-attack activity needs to be addressed by the community at large — an effort comprised of providers, device vendors, standards bodies [e.g. IETF – Internet Engineering Task Force] and independent test/validation organisations. Government can and may have a role to play in the future, if the players cannot get organised," said Gates.

"Many are calling for regulation. However, there is no single global regulatory body that could control IoT manufacturers. Even if countries institute their own regulations, how in the world will that ever be enforced? Even if they stop the trade of vulnerable IoT coming into their own countries, it will do nothing to stop them from coming into countries that don't. Remember, the Internet is a global and attacks can be launched from anywhere."