Menu

IoT FEATURE NEWS

Security Blogger Identifies Next IoT Vulnerability, This Time on Linux OS

By Ken Briodagh November 01, 2016

It never rains, but it pours, right folks? Well, our socks are wet now, and the water just keeps getting deeper. In a post on the security blog Malware Must Die by @unixfreaxjp from October 28, we find another DDoS botnet vulnerability aimed at the IoT specifically, and this time, ready for IPv6.

The investigator calls it Linux/IRCTelnet, which this investigator said looks like it is a new IRC botnet ELF malware, that can be and likely is being used for performing DDoS attacks through IoT devices via IRC botnet. He said it is partially coded per Tsunami/Kaiten protocols, but with additional features for malicious attack vectors and to aim at IoT devices via telnet protocols.

Apparently, it is a combination of Kaiten, for the IRC protocol, GayFgt/Torlus/Lizkebab/Bashdoor/Bashlite for the telnet scanner, and the Mirai botnet credential list. It also has an encoded CNC so it can avoid plain text checking, and is partially coded in Italian just to make things more interesting. Finally, this botnet uses DoS attack mechanisms like UDP flood and TCP flood, in both IPv4 and IPv6 protocol, with an extra IP spoof option in IPv4 or IPv6.

As for origin, the researcher started with the knowledge that this botnet is a new version of Aidra bot, which helped in the search for similar executions and code. The result is that this is possibly by the known Italian hacker “d3m0n3” on the IRCNet.

Meanwhile, they saved partial IP address info for infected IoT devices they found, which have been shared with relevant authorities, and the writer noted that this is a significantly big botnet volume, especially considering it was only active for a few days, from October 25 to 28, at the time of publication.

Recommendations for mitigation include turning off global telnet open services and not using known vulnerable usernames or passwords. If a device is infected (or you’re not sure if it is), this can be removed by rebooting the infected devices, the post said. Of course it will then have to be secured against the intrusion, or it will be re-infected.

So, yeah. That’s a lot to absorb, and it looks pretty bad. You IT and security folks should click over to the original post for the code samples and more technical details, but I spoke to some security and code experts to get a sense for what all this means.

Sergei Golos, IT security professional and author of http://codeofserge.com, said that IoT devices are frequently coded based on Linux micro-boards, which introduces built-in vulnerabilities that allow these edge devices to not only perform the task they are designed to do, but also anything else a computer can do, including using the Internet to do just about anything, including DDoS attacks. All this means that the bug is that the software on the IoT device doesn't force users to configure unique passwords, which isn’t so much a coding issue as a design issue, he said.

Edward Faulkner, hacker, entrepreneur, Ember Core Team member and author of https://eaf4.com, called this Linux/IRCTelnet a “not-especially-clever botnet that scans for defenseless devices running open telnet servers with default passwords.” Of course this is a huge number of devices, because so many of the IoT devices at the edge are being sold (not just to consumers) with no prior thought to the security implications and no plan to patch future vulnerabilities.

Faulkner further recommended that folks avoid the risks by making sure IoT devices stay on private LANs that are unreachable from the wider Internet.

Of course, that’s not always possible, especially for enterprise users, so Mike Ahmadi, Global Director, Critical Systems Security, Synopsys, said that “Unless builders of IoT devices incorporate more rigorous vulnerability detection and management practices into their development process, we can expect more of this malware botnet free for all to occur.”

The shortest version of this story is that the IoT’s chickens are coming home to roost. You’ve been building fast and cheap, rushing to market, and escaping the notice of the bad actors out there because the industry was so small.

We’ve hit the big time now, my friends. How about we start acting like it?




Edited by Alicia Young

Editorial Director

SHARE THIS ARTICLE
Related Articles

Zentera's Lee Emphasizes Importance of Shared Responsibility

By: Paula Bernier    12/15/2017

Zentera leader, IoT Evolution Expo speaker, discusses enclaves, IoT security, and the company's Internet of Things work with GM.

Read More

IoT Time Podcast S.2 Ep. 57 Unisys

By: Ken Briodagh    12/13/2017

In this episode of IoT Time, Ken Briodagh sits down with Bill Searcy, VP, Global Justice, Law Enforcement, and Border Security, Unisys (unisys.com/saf…

Read More

Canadian Municipalities Get Funding for 72 Infrastructure Improvements

By: Ken Briodagh    12/13/2017

The Canadian Infrastructure and Communities ministry and the Federation of Canadian Municipalities have announced funding for 72 Smart City initiative…

Read More

Hardware-Based IoT Security: Consider Your Options

By: Special Guest    12/13/2017

Risk vs. Reward - a tradeoff that factors into every business decision.

Read More

IoT and Cleantech Join Forces on Clean Energy

By: Special Guest    12/13/2017

The Internet of Things plays an important role in the adoption of clean technology and transforming operations and processes adjusted to the new envir…

Read More