In December 2017, the U.S. Department of Justice announced indictments and guilty pleas by three men in the United States responsible for creating and using Mirai, a malware strain that enslaves poorly-secured “Internet of Things” or IoT devices like security cameras and digital video recorders for use in large-scale cyberattacks.
The FBI and the DOJ had help in their investigation from many security experts, but this post focuses on one expert whose research into the Dark Web and its various malefactors was especially useful in that case. Allison Nixon is director of security research at Flashpoint, a cyber intelligence firm based in New York City. Nixon spoke with KrebsOnSecurity at length about her perspectives on IoT security and the vital role of law enforcement in this fight.
Brian Krebs (BK): Where are we today with respect to IoT security? Are we better off than were a year ago, or is the problem only worse?
Allison Nixon (AN): In some aspects we’re better off. The arrests that happened over the last year in the DDoS space, I would call that a good start, but we’re not out of the woods yet and we’re nowhere near the end of anything.
BK: Why not?
AN: Ultimately, what’s going with these IoT botnets is crime. People are talking about these cybersecurity problems — problems with the devices, etc. — but at the end of the day it’s crime and private citizens don’t have the power to make these bad actors stop.
BK: Certainly security professionals like yourself and others can be diligent about tracking the worst actors and the crime machines they’re using, and in reporting those systems when it’s advantageous to do so?
AN: That’s a fair argument. I can send abuse complaints to servers being used maliciously. And people can write articles that name individuals. However, it’s still a limited kind of impact. I’ve seen people get named in public and instead of stopping, what they do is improve their opsec [operational security measures] and keep doing the same thing but just sneakier. In the private sector, we can frustrate things, but we can’t actually stop them in the permanent, sanctioned way that law enforcement can. We don’t really have that kind of control.
BK: How are we not better off?
AN: I would say that as time progresses, the community that practices DDoS and malicious hacking and these pointless destructive attacks get more technically proficient when they’re executing attacks, and they just become a more difficult adversary.
BK: A more difficult adversary?
AN: Well, if you look at the individuals that were the subject of the announcement this month, and you look in their past, you can see they’ve been active in the hacking community a long time. Litespeed [the nickname used by Josiah White, one of the men who pleaded guilty to authoring Mirai] has been credited with lots of code. He’s had years to develop and as far as I could tell he didn’t stop doing criminal activity until he got picked up by law enforcement.
BK: It seems to me that the Mirai authors probably would not have been caught had they never released the source code for their malware. They said they were doing so because multiple law enforcement agencies and security researchers were hot on their trail and they didn’t want to be the only ones holding the source code when the cops showed up at their door. But if that was really their goal in releasing it, doing so seems to have had the exact opposite effect. What’s your take on that?
AN: You are absolutely, 100 million percent correct. If they just shut everything down and left, they’d be fine now. The fact that they dumped the source was a tipping point of sorts. The damages they caused at that time were massive, but when they dumped the source code the amount of damage their actions contributed to ballooned [due to the proliferation of copycat Mirai botnets]. The charges against them specified their actions in infecting the machines they controlled, but when it comes to what interested researchers in the private sector, the moment they dumped the source code — that’s the most harmful act they did out of the entire thing.
BK: Do you believe their claimed reason for releasing the code?
AN: I believe it. They claimed they released it because they wanted to hamper investigative efforts to find them. The problem is that not only is it incorrect, it also doesn’t take into account the researchers on the other end of the spectrum who have to pick from many targets to spend their time looking at. Releasing the source code changed that dramatically. It was like catnip to researchers, and was just a new thing for researchers to look at and play with and wonder who wrote it.
If they really wanted to stay off law enforcement’s radar, they would be as low profile as they could and not be interesting. But they did everything wrong: They dumped the source code and attacked a security researcher using tools that are interesting to security researchers. That’s like attacking a dog with a steak. I’m going to wave this big juicy steak at a dog and that will teach him. They made every single mistake in the book.
BK: What do you think it is about these guys that leads them to this kind of behavior? Is it just a kind of inertia that inexorably leads them down a slippery slope if they don’t have some kind of intervention?
AN: These people go down a life path that does not lead them to a legitimate livelihood. They keep doing this and get better at it and they start to do these things that really can threaten the Internet as a whole. In the case of these DDoS botnets, it’s worrying that these individuals are allowed to go this deep before law enforcement catches them.
BK: There was a narrative that got a lot of play recently, and it was spun by a self-described Internet vigilante who calls himself “the Janitor.” He claimed to have been finding zero-day exploits in IoT devices so that he could shut down insecure IoT things that can’t really be secured before or maybe even after they have been compromised by IoT threats like Mirai. The Janitor says he released a bunch of his code because he’s tired of being the unrecognized superhero that he is, and many in the media seem to have eaten this up and taken his manifesto as gospel. What’s your take on the Janitor, and his so-called “bricker bot” project?
AN: I have to think about how to choose my words, because I don’t want to give anyone bad ideas. But one thing to keep in mind is that his method of bricking IoT devices doesn’t work, and it potentially makes the problem worse.
BK: What do you mean exactly?
AN: The reason is sometimes IoT malware like Mirai will try to close the door behind it, by crashing the telnet process that was used to infect the device [after the malware is successfully installed]. This can block other telnet-based malware from getting on the machine. And there’s a lot of this type of King of the Hill stuff going on in the IoT ecosystem right now.
But what [this bricker bot] malware does is a lot times it reboots a machine, and when the device is in that state the vulnerable telnet service goes back up. It used to be a lot of devices were infected with the very first Mirai, and when the [control center] for that botnet went down they were orphaned. We had a bunch of Mirai infections phoning home to nowhere. So there’s a real risk of taking the machine that was in the this weird state and making it vulnerable again.
BK: Hrm. That’s a very different story from the one told by the Bricker bot author. According to him, he spent several years of his life saving the world from certain doom at the hands of IoT devices. He even took credit for foiling the Mirai attacks on Deutsche Telekom. Could this just be a case of researcher exaggerating his accomplishments? Do you think his Bricker bot code ever really spread that far?
AN: I don’t have any evidence that there was mass exploitation by Bricker bot. I know his code was published. But when I talk to anyone running an IoT honeypot [a collection of virtual or vulnerable IoT devices designed to attract and record novel attacks against the devices] they have never seen it. The consensus is that regardless of peoples’ opinion on it we haven’t seen it in our honeypots. And considering the diversity of IoT honeypots out there today, if it was out there in real life we would have seen it by now.
BK: A lot of people believe that we’re focusing on the wrong solutions to IoT security — that having consumers lock down IoT devices security-wise or expecting law enforcement agencies to fix this problem for us for me are pollyannish ideas that in any case don’t address the root cause: Which is that there are a lot of companies producing crap IoT products that have virtually no security. What’s your take?
AN: The way I approach this problem is I see law enforcement as the ultimate end goal for all of these efforts. When I look at the IoT DDoS activity and the actual human beings doing this, the vast majority of Mirai attacks, attack infrastructure, malware variants and new exploits are coming from a vast minority of people doing this. That said, the way I perceive the underground ecosystem is probably different than the way most people perceive it.
BK: What’s the popular perception, do you think?
AN: It’s that, “Oh hey, one guy got arrested, great, but another guy will just take his place.” People compare it to a drug dealer on the street corner, but I don’t think that’s accurate in this case. The difference is when you’re looking at advanced criminal hacking campaigns, there’s not usually a replacement person waiting in the wings. These are incredibly deep skills developed over years. The people doing innovations in DDoS attacks and those who are driving the field forward are actually very few. So when you can ID them and attach behavior to the perpetrator, you realize there’s only a dozen people I need to care about and the world suddenly becomes a lot smaller.
BK: So do you think the efforts to force manufacturers to harden their products are a waste of time?
AN: I want to make it clear that all these different ways to tackle the problem…I don’t want to say one is more important than the other. I just happened to be working on one component of it. There’s definitely a lot of disagreement on this. I totally recognize this as a legitimate approach. A lot of people think the way forward is to focus on making sure the devices are secure. And there are efforts ongoing to help device manufacturers create more secure devices that are more resistant to these efforts.
And a lot is changing, although slowly. Do you remember way back when you bought a Wi-Fi router and it was open by default? Because the end user was obligated to change the default password, we had open Wi-Fi networks everywhere. As years passed, many manufacturers started making them more secure. For example, many of these devices now have customers refer to sticker on the machine that has a unique Wi-Fi password. That type of shift may be an example of what we can see in the future of IoT security.
BK: In the wake of the huge attacks from Mirai in 2016 and 2017, several lawmakers have proposed solutions. What do you think of the idea that it doesn’t matter what laws we pass in the United States that might require more security by IoT makers, that those makers are just going to keep on ignoring best practices when it comes to security?
AN: It’s easy to get cynical about this and a lot of people definitely feel like these these companies don’t sell directly to the U.S. and therefore don’t care about such efforts. Maybe in the short term that might be true, but in the long term I think it ends up biting them if they continue to not care.
Ultimately, these things just catch up with you if you have a reputation for making a poor product. What if you had a reputation for making a device that if you put it on the Internet it would reboot every five minutes because it’s getting attacked? Even if we did enact security requirements for IoT that manufacturers not in the U.S. wouldn’t have to follow, it would still in their best interests to care, because they are going to care sooner or later.
BK: I was on a Justice Department conference call with other journalists on the day they announced the Mirai author arrests and guilty pleas, and someone asked why this case was prosecuted out of Alaska. The answer that came back was that a great many of the machines infected with Mirai were in Alaska. But it seems more likely that it was because there was an FBI agent there who decided this was an important case but who actually had a very difficult time finding enough infected systems to reach the threshold needed to prosecute the case. What’s your read on that?
AN: I think that this case is probably going to set precedent in terms of the procedures and processes used to go after cybercrime. I’m sure you finished reading The Wired article about the Alaska investigation into Mirai: It goes in to detail about some of the difficult things that the Alaska FBI field office had to do to satisfy the legal requirements to take the case. Just to prove they had jurisdiction, they had to find a certain number of infected machines in Alaska.
Those were not easy to find, and in fact the FBI traveled far and wide in order to find these machines in Alaska. There are all kinds of barriers big and small that slow down the legal process for prosecuting cases like this, some of which are legitimate and some that I think are going to end up being streamlined after a case like this. And every time a successful case like this goes through [to a guilty plea], it makes it more possible for future cases to succeed.
This one group [that was the subject of the Mirai investigation] was the worst of the worst in this problem area. And right now it’s a huge victory for law enforcement to take down one group that is the worst of the worst in one problem area. Hopefully, it will lead to the takedown of many groups causing damage and harming people.
But the concept that in order for cybercriminals to get law enforcement attention they need to make international headlines and cause massive damage needs to change. Most cybercriminals probably think that what they’re doing nobody is going to notice, and in a sense they’re correct because there is so much obvious criminal activity blatantly connected to specific individuals. And that needs to change.
BK: Is there anything we didn’t talk about related to IoT security, the law enforcement investigations into Mirai, or anything else you’d like to add?
AN: I want to extend my gratitude to the people in the security industry and network operator community who recognized the gravity of this threat early on. There are a lot of people who were not named [in the stories and law enforcement press releases about the Mirai arrests], and want to say thank you for all the help. This couldn’t have happened without you.
This really is a fascinating subject, due to the fact that most IoT products don’t allow the end user to alter the security settings (thus allowing savvy individuals to reduce the risk of compromise).
I appreciate your role as devil’s advocate to prompt the discussion toward how companies may just ignore the laws passed in the US. While it may seem cynical, it is ultimately true. Even though they may eventually change their products to capitulate to demand, they will be slow to do so because they can make more profit by making a cheaper (yet inferior) product as long as consumers are willing to take the risk. Since most people are either ignorant of this type of activity, they’re likely to buy the inferior product and thus fuel companies to continue making them.
I really think that the root of the problem is that people are largely ignorant. Because there is so much information out there, and so little education on how to sift through to find what is important (not to mention the time it takes to do so), the populous will likely remain in their blissful state until they are victimized. Unfortunately, this is true in many different regards, whether their IoT devices are utilized in a DDoS attack on their favorite website, or their personal information is made available to fraudsters.
The world we live in is increasingly complex, which carries with it the increasing ability for others to utilize our technology in less than ethical ways. For those who do not dedicate any of their time to self-education, I believe it is only a matter of time before they find their ignorance being taken advantage of.
I really should edit my comments before submitting them… I left a random ‘either’ in my second paragraph and used ‘populous’ instead of ‘populace’ in the third.
produce the comments in a TXT format. Proof read, and then cut and paste into the blog =)
I really think that the root of the problem is that network operators allow devices to use spoofed IP addresses when sending from their network.
The whole ecosystem described in this article would shrivel to nothingness if the hacked devices had to identify themselves with every data packet sent.
False. The botnets involved largely do not spoof their ip addresses. This is one part of the problem, but not the whole problem
False is correct. Although spoofing is a larger problem that definitely needs to be addressed by the world’s major network operators, for a variety of reasons I probably shouldn’t get into here it has largely not been a factor in relation to IoT-based botnets like Mirai.
Btw, I addressed some of the things that network operators/ISPs can and should be doing in the latter half of this article: https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/
Spoofed or not, the sad fact is that very few network operators/ISPs put much effort into suppressing egressing attack traffic.
Fascinating article. It’s really nice to have two insiders talk about a subject.
Perhaps “Well, if you look at the individuals that were the subject of the announcement this month, and you look in their past, you can see they’ve been active in the hacking community of a long time. ” should end with “in the hacking community a long time.”
I am with vb on putting at least some responsibility on the network operators, the problem is what do you mean by network operator? The ISP? The end user of a surveillance system?
The term ISP has become outdated. A network operator could be a wired or wireless service provider, telephone wireless carrier, cellular data company, cable TV company or other types of a network carrier. A network operator is a provider of wired or wireless communications services that owns or controls all the elements necessary to deliver communications services to end-users.
In any case, network operators should take responsibility for running a clean network. That means not allowing hacked devices to spew spoofed garbage out of their network.
I don’t think spoofed IP’s are the issue. Even if a service provider (or “network operator”) does implement blocking of spoofed IP’s, it would only work if the spoofed IP is outside of the range which the service provider broadcasts, and these ranges can be quite large. Also, this wouldn’t do anything to help identify the perpetrators, since they are not relying on spoofed IP’s to conceal their identities, they are using VPN’s and proxy’s.
Don’t get me wrong, I agree that all service providers should prevent spoofed IP’s to the extent that they can, but typically all this is going to do is help prevent attacks such as a DNS amplification DDoS.
It just hit me that you were talking about identifying the hacked devices, and not malicious users covering their tracks with spoofed IPs. My mistake, you’re correct that not allowing spoofed IPs would help with this, although as I mentioned, current methods of blocking spoofed IPs only work if the IP is outside of the service provider’s range.
All viewpoints are correct, in my estimation.
The introduction of even basic minimum safety standards for IoT devices to be sold on the open market would marginalize those manufacturers who choose to not adhere to them.
The network operators have some duty of care to reduce harm and certainly consumers of IoT devices should conduct some level of due diligence to keep themselves safe.
This will not and can not 100% eliminate IoT tampering, but it will make it much more difficult to achieve and therefore make it far less economically viable and more risky.
And when criminal acts are still committed, law enforcement has a duty to investigate and prosecute.
Right. It is weird that devices have voltage standards, FCC and EC certifications, but nothing on device security.
“I really think that the root of the problem is that people are largely ignorant. Because there is so much information out there, and so little education on how to sift through to find what is important.”
Speaking for those of us in a senior living community, we tend to agree. However, we also find it difficult to sift through the vernacular, then implementing the procedures the “teckies” provide in these matters. In frustration, we find it easier to hope and pray that what we think we know is sufficient to keep us out of harm’s way.
Most computer safeguards posted here and elsewhere leave us with a vacuous look and a “…what’s that mean?” on our lips.
Keep up the great website, Brian!
First, I’d like to point out that I was not limiting my statement to senior individuals. On the contrary, (in my experience) the older a person is, the more likely they are to be concerned with their security.
I was trying to say that there is a general blissful ignorance that far too many subscribe to, mostly by their own choice. They’d rather spend their time talking about what other people should be doing instead of taking responsibility and figuring out how to protect themselves.
That said, your comments on the vernacular are well-founded. There is a large barrier to communication between “us” and the “techies”. I would consider myself somewhere in between, but I still have to do quite a bit of research any time I decide to do something to increase my level of security.
My advice: use google to find a forum that explains how to do what you need to do. You will either be able to find where someone has already received a detailed how-to for your situation, or you can ask the question yourself (and wait for a reply). Most of the forums have experts who are very helpful and willing to share their time and expertise, not to mention they are mindful of explaining things in layman’s terms. It may take time, but I have solved some fairly significant issues on my own this way, and it has increased my own understanding significantly.
Setting the record straight on the BrickerBot statement “… when I talk to anyone running an IoT honeypot they have never seen it. The consensus is that regardless of peoples’ opinion on it we haven’t seen it in our honeypots. And considering the diversity of IoT honeypots out there today, if it was out there in real life we would have seen it by now.”
BrickerBot operates (used to) as a sensor network. It retaliates when one if its sentinels senses a malware trying to exploit it. Unless a honeypot triggers a BrickerBot sentinel, it will never reveal itself to that honeypot. I would seem that everyone Ms Nixon has been talking to are operating passive honeypots and they’ve missed it.
This is technobabble. Some honeypots are actual vulnerable devices. No malware can possibly detect every honeypot and hide from it.
Also, brickerbot author took credit for several incidents that someone else did and that the real actors have been arrested for. He’s a crack pot
It is irrelevant if the honeypot is an actual device or not. The botnet is an autonomous system that only attacks upon being poked. A simple telnet to one of the sentinels in the botnet and it will come back at you – first fingerprinting your device through port scans, trying to open a SSH and telnet session to gather information and then submit a command sequence through SSH, Telnet or known RCE exploits such as the TR064 NewNTPServer.
I do not want to comment on the credits, nor do I validate them. I do want you to have a look at the 3 most recent bots that made headlines: Satori, Okiru and Masuta.
Satori and Okiru exploit a Huawei 0day. Masuta leverages a D-Link HNAP bug.
Now go and check the obfuscated Python module the Janit0r published and you will have to conclude that both, including the ‘innovative’ 0day exploit, are sourced from the BrickerBot code. Literally copy/pasted into a widely availble Mirai framework.
There is not much we didn’t know in the BrickerBot code, except for 1 or 2 0days, but the guy created and published an encyclopedia of credentials, fingerprints and vulnerabilities, carefully classified per device class and brand. Making this information public had to have an impact on the threat landscape. We did not even have to wait long for it to happen, as illustrated by the 3 most recent bots that researchers are alerting on. Three new botn variants in little over a month’s span… Nexus Zeta is just experimenting if you ask me, for now…
“both, including the ‘innovative’ 0day exploit, are sourced from the BrickerBot code”
Absolutely false. The exploits were in the wild before the Brickerbot code was published. Brickerbot copied them from the malware.
Brickerbot’s author likes to take credit for world events that he had no actual part in. He’s a crack pot. Maybe he hacked into some devices, but he had nowhere near the impact he claims he had. He’s just another megalomaniacal skid with no credibility.
“Appear weak when you are strong, and strong when you are weak.”
LPls.help. When I had my older ( became obsolete 2003, they wouldn’t renew warranty ) eMachine desktop computer w/Tower& attached copier , fax, scanner, printer & I paid monthly for an Internet Security Suite, I still had strange messages & strange screens appear. The Energy Saver Star symbol would appear but then later weeks, when I was alone, a “Master – Slave” cartoon &message would appear on the screen!Several times it had viruses & malware that the old- fashioned scans of the internet security suite I was using , didn’t catch. One of the scariest things was when I call on my telephone to their 800# texhnical support of the Internet Security Suite, where you & the tech can alternate sharing the screen cursor. the arrow would start moving itself & turnimg web pages & neither myself nor the tech realized the other wasn’t doing it! 1 tech finally asked me “ are you moving the cursor”? I wasn’t & I said I thought the tech was moving the cursor & she wasn’t! The screensharing tech ffreakd out, stating “ it must be some new kind of spyware”! She asked if she could temporarily remove my Internet Security Suite & temporarily install Malabytes Malware scan, I said ok. She was supposed to call me back k hours later & she never did. I called back & the next screensharing rep said the previous tech shouldnt have done that, removed Malabytes Malware scanning & put the regular Internet Security Suite back. Neither found anything, but intermittent problems still ocurred until Nov. 2009 when all the software disintegrated & only the eMachine screensave would show. It was heartbreaking for me. Who can tell me what happenned please? Thanks Barbara
Pls.add to the ab ove message, that I now remember that it was I guess a fake Energy Star site with the cartoon. Illustration with the words “ Master- Slave Relationship”, 1 person kneeling ( slave) to the Master ( person), then it would disappear & whatever I was previously searching would return. That happened when the eMachine computer was a little bit older & the Internet Security Suite never was able to catch it& then the eMachine software disintegrated Nov.2009, & onlycthe screensaver illustration would show. The computer was obsolete in 2003 when they wouldn’t renew the warranty plan.
I remember also that the Internet Security Suite that I paid for by the month, showed the actual scans & you pick how often you want to run them ( virus, malware, spyware, etc. scans), I ran them everyday. I also now remember that sometimes it would show it found a virus or viruses & the Internet Security Suite would ask you if you wanted to delete the virus, or contain the virus. Later screensharing tech advised me if you pick “ delete” the virus,it would also delete the part of your computer that the virus infected too, better to choose to contain the virus.
I also now remember that sometimes the cursor arrow would move itself when I was using the computer alone & no screensharing. It finally stopped when that 1 screensharing tech asked me if I had started moving the cursor & I thought she was moving the cursor & she wasn’tI believe it was happening with more than 1 screensharing tech & neither one of us ever realized it until that 1 tech caught on.. The Malabytes Malware scans didn’t show anything & when I called the we 800 # tech support back& the next tech claimed that was wrong , uninstalled the Malabytes Malware scanning & reinstalled the Internet Security Suite thatI was paying for & ran it, neither found anything then! But the screen cursor arrow never moved itself by itself again.
What was all this please? Thanks Barbara