This Mirai malware vaccine could protect insecure IoT devices
The hazard of unsophisticated and poorly secured Internet of Things (IoT) devices came to the front last year with the Mirai DDoS attack that involved nearly a million bots. Many of these devices remain a threat.
Researchers have posed an original solution to the problem: Use the vulnerability of these devices to inject a white worm that secures the devices. It is an epidemiological approach that creates immunity with a vaccine by exposing the immune system to a weakened form of the disease.
+ Also on Network World: How to improve IoT security +
These devices are still a threat because some cannot be fixed because they have hard-coded back doors. Other insecure devices have software or firmware vulnerabilities that cannot be fixed because product designers did not include a software updates mechanism.
After studying the source code of the Mirai worm and its command and control system, researchers from the Technical University of Denmark, Denmark; Orebro University, Sweden; and Innopolis University, Russian Federation proposed this almost unprecedented idea in a paper titled AntibIoTic: Protecting IoT Devices Against DDoS Attacks (pdf). The Mirai source code was published on Github after it was originally released on Hackforums, as reported by Krebs on Security.
Most reports about the source code release warned that it would enable new bad actors, the security industry’s term for individuals and criminal organizations who attempt to infiltrate systems and data banks with malicious intent. But because the source code was published, it was possible to create the white worm defense derived from the release.
The approach makes sense because there are few alternatives to remediating the risk these devices pose. In the go-to-market IoT race, developers do not always anticipate vulnerabilities or build according to computer science security text books, leaving hundreds of thousands or millions of devices undefended.
The white worm project, called AntibIoTic, uses the Mirai bot design to gain access and control of these poorly secured devices and inject them with antibiotic-like code. AntibIoTic exploits the efficient spreading capabilities of the Mirai malware. Once in control, this white worm tries to notify the owner or remedy the problem on the owner’s behalf by changing credentials, patching software or updating firmware. Compared to the malicious Mirai that ISPs and carriers have taken proactive measures to stop, AntbIoTic would not be detected because once in control, it does not behave maliciously.
How AntibIoTic functions
Features of AntibIoTic include the following:
Collect and publish data about vulnerable devices – Security researchers, the device manufacturers and anyone interested can analyze the data about these at-risk devices published on a public website. This might be an early-warning system, monitoring IoT devices and alerting IoT device manufacturers that a product category has been compromised.
Crowd-sourced contributions – The authors specify an interactive interface with a range of privileges, presumably based on trust, to let others contribute to AntibIoTic. One can easily imagine a security analyst or manufacturer contributing, especially an IoT manufacturer trying to avoid a recall and PR nightmare from a product with security flaws installed throughout the world that they otherwise could not remediate.
Sanitize infected devices – Once the AntibIoTic worm has control of a weak device, it either applies a fix to prevent further intrusions or sanitizes the device of malicious code installed by the bad actors. Applying a little imagination again, in response to an early warning of a specific exploit of a specific IoT device from data published on the web, a custom solution could be built and distributed using Mirai-like efficient spreading capabilities.
Notify device owners – After sanitizing the device, the AntibIoTic worm will try to notify the device owner of the vulnerabilities. The purpose of the notification is to warn the owner, make them aware of the security threats of their device and advise of further precautions that should be taken.
Secure vulnerable devices – If the threat has not been fixed after notifying the owner, AntibIoTic will apply security fixes, such as changing the admin credentials or updating firmware.
Resistance removal of AntibIoTic by reboot – A mechanism tracks all identified vulnerable devices. If a reboot occurs, AntibIoTic will re-infect after the devices return to operation and appear on the internet. AntibIoTic might become persistent on the target system by modifying its startup settings.
Mentioned elsewhere in the paper is a project called BrickerBot. It is the approach Samsung took to disable its potential dangerous Note 7 and prevent it from causing a fire. This approach “bricks” the device, making it irrecoverably inoperable and preventing the user or the malware from utilizing it. In certain scenarios, where IoT malware causes serious financial harm or physical danger, BrickerBot might be the only alternative.
Ethical and legal implications of AntibIoTic
AntibIoTic crosses some legal and ethical lines as a third party intruding into a device owned by another entity without the owners’ explicit consent. This is an illegal and prosecutable act in a number of countries. At the same time, failing to protect one’s own device and failing to remediate the malicious behavior of a device, causing harm to third parties, could be a violation of law by the owner.
The authors categorize the problem as an extension of the eternal dispute between freedom and security, but they did not include a deeper legal analysis — probably because this would require collaboration with legal experts throughout the world. Perhaps if looked at from an epidemiological perspective, the health of the herd outweighs the legal and ethical implications.
More details about the white worm and the command and control system are available in the paper.