How to prevent your Christmas gift from joining the Mirai botnet

Don’t forget to secure the IP camera, digital thermostat or other connected device you received for Christmas.

While these Internet of Things devices are smaller compared to laptops and desktops, they’re still computers with processors, software and the ability to connect to the Internet. And, like we saw with the Mirai botnet that took over hundreds of thousands of IoT devices and used them to launch a massive DDoS attack, they also have vulnerabilities that attackers can easily exploit.

Here are some security tips to prevent your device from helping taken down the Internet and violating your privacy.

Try to avoid buying and using products from unknown vendors

Some of these manufacturers have disregarded even the most basic security measures and sell products with hard-coded passwords or software that can’t be updated. Keep in mind that even devices from brand-name manufacturers can have vulnerabilities. However, since these products are usually scrutinized by security researchers, there’s a better chance that their flaws will be discovered and fixed by the vendor.

In fact, if you own an IP camera, it could have two-zero days flaws that jeopardize your privacy. Attackers could exploit these flaws and see what the camera is looking at and, in theory, use them to access the computer that the camera is connected to. Cybereason released a tool that lets people determine if their camera is at risk and I wrote a research report on the dangers these vulnerabilities present.

Change the device’s default password

Many people never change a device’s default password, giving attackers an easy way to hack into their lives. This is how the Mirai malware infiltrates devices: it guesses default log-ins and passwords. This is probably the most basic attack vector imaginable. But why should attackers have to come up with stealthy attack vectors when they can hack a device by using much simpler methods?

Upgrade your device’s firmware

Vendors issue software updates to repair programming flaws that attackers could exploit as well as add features to a product. However, often times users aren’t aware that vendors issue these updates and that they’re responsible for downloading and installing them. For software update information, check the product page on the vendor’s website.

Get educated on security

Hackers count on consumers to make their job easy by partaking in risky and insecure online behavior. Don’t adopt the mentality that the basics of online security are too difficult to learn or think you’ll never be hacked. This mindset only helps the attackers and decreases consumer safety.

Also, don’t assume that a product’s manufacturer will handle security. Often times that isn’t the case. Getting a product to market is sometimes more important for vendors than implementing security measures. This is why people have to take responsibility for their device’s security and install firmware updates and figure out if the software running their IoT device can be updated and avoid products that lack this feature.

Amit Serper
About the Author

Amit Serper

Amit Serper is Principal Security Researcher at Cybereason. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering on Windows, Linux and macOS.