Internet of Things Botnet Menace

Forget self-aware AI systems taking over the world. If you read the hype over DDoS attacks you’d be forgiven for thinking an army of internet connected devices was on the march, herded by a gang of amateur criminals – the IoT bites back!

This isn’t about anything new, but the fact it’s being used in recent record-breaking DDoS attacks has brought the matter to the fore.

And then yesterday the code for the two main botnets, Miari, turned up, posted on Hackerforums by its originator, probably. The other similar botnet is known as Bashlight, but I understand it works in the same way and attacks the same devices. Originators of such code usually dump them in the public domain when they feel that they’re about to be busted. It makes it harder to prove they’re behind an attack when other people have, and are likely using, the same code.

A look at the code itself confirms what many have suspected for a long time; some CCTV equipment can be appropriated for naughty purposes. Unfortunately the affected equipment originates in China and is sold to a wide variety of companies who put their own badge on it, and sometimes customise the software. It’s basically a generic network-enabled Digital Video Recorder (DVR), with the generic name H.264 Recorder. Getting it all patched isn’t going to happen as there is no update mechanism, but if people changed their password to something hard to guess, rather than leaving it as the default 1234, the world would be a better place.

I’ve been looking at this type of CCTV equipment for over decade, ordering an embaressing number of samples from Alibaba and the like and building up a collection to rival my disparate VoIP endpoints. They have a lot in common – very little I the way of security or robustness in the face of attack. My advice to anyone using such kit is to install it behind NAT and use a VPN to access it externally.

But getting back to my theme, the media hype suggests that all sorts of IoT things have been hijacked. Unless I see any evidence to the contrary, this is simply not true. The CODE released targets one type of network DVR, and, in reality, it can’t even persist if the device is power-cycled. However, reports suggest that the time taken for the botnet to re-establish itself is very short.

I’ll be updating this article in the next few days once I’ve checked out a few facts concerning the code.