How do IoT devices get used for a botnet?

As investigations continue after the outage caused by the DDoS against Dyn, a large DNS provider last week it’s useful to gain a greater understanding of just how this traffic was generated, particularly when talking about volumes such as that encountered by OVH when they saw around 1.2Tbps of data thrown at their network.

As I have mentioned previously, historically a DoS attack would have been created by a single PC on a network generating as much junk data as it could send over its connection – usually this would involve someone gaining control of a server somewhere on the internet, since these would in most cases have a much higher capacity connection than a standard home system. Of course, as the internet has developed and large, complex server set ups with distributed platforms for hosting websites and other services have developed the kind of traffic generated by a single device would be unable in many cases to cause much impact, hence the move to using multiple devices over the internet to create a DDoS.

So, the question is just how do malicious third parties take advantage of large volumes of devices on the internet to enable them to create attacks of the scale that have been seen recently? Fundamentally this is a lot easier than most people realise. While traditionally there was a reliance on people having lax security on their own computers there are much easier ways to do this these days thanks to the rise in popularity of devices that are commonly referred to as The Internet of Things or IoT.

IoT Botnets

Routers, CCTV, Media players, DVRs, lights, home automation servers, these are just a few of the ever-increasing catalogue of devices that can be found in homes that have internet connections and while they may seem innocuous they can potentially be used as part of a larger collection of similar devices to help generate insane volumes of traffic. While many of these devices may seem simple enough they will all have some form of rudimentary operating system on them to help them communicate to their management systems and your smart phones and such, like any other operating system this means they may have security weaknesses. The traffic generated for the recent attacks against OVH and Krebs was suggested to be likely to have originated from internet connected CCTV systems for example.

One of the largest issues with many IoT devices is that once they are connected many of them are simply left with default login details meaning that if these devices are accessible from the internet they represent a pretty large security risk, the equivalent of leaving your keys in your door when leaving the house if you will excuse the hyperbole. Others often lack the facility to change much on the operating system thus removing the ability to ensure they are secure altogether. Finding devices like this is also trivial with a basic level of knowledge, since it doesn’t take much to run a search online to locate specific devices, it’s not too big a stretch beyond this to extend that same search to an automated script which also attempts to login with factory default or hard-coded usernames and passwords, which is where Mirai steps in.


Mirai is a form of malware which was recently published online and announced on the English-language hacking community Hackforums. It’s designed to continuously scan the internet for IoT systems and then attempt to log in, once it has access it then seeds the devices with software turning them into ‘bots’ which causes them to report to a centralised point on the internet, which is then used to control the devices. This server is where the DDoS attacks are triggered from. Thankfully, the one silver lining to take from this is currently only industrial type devices are being targeted, such as CCTV systems used in shops, offices and so on. From various reports, it does seem that many devices used were all pretty ancient too, with some being developed as long ago as 2004. Generally, these devices weren’t built with today’s security in mind, so much as they were built to just do one job and do it as well as is possible with the tech available to them.

The other thing to factor in, is that all the devices involved were accessible from the internet, either directly via a modem hooked up to the device, or indirectly via having firewalls opened to allow them to be reached from the internet.

A Single Point of Origin.

Many of the implicated devices all seem to have a single manufacturer in common, a chine firm by the name of Hangzhou Xiongmai, who have recently recalled all the potentially compromised products from market. Xiongmai are what is known as a ‘white label’ manufacturer, meaning they create and sell fully formed devices to more well-known companies to distribute under their own brands. Of course this makes it nigh on impossible for customers to actually know if they are using devices made by Xiongmai or not, unfortunately the white labeling does mean that the general recall could potentially end up being little more than a symbolic gesture, since it can be quite difficult to get customers to return hardware when they know it has a general recall on it, never mind a piece of hardware which they have no way of knowing if its part of the recall or not.


At this stage, it’s also unclear just how to prevent further incidents of this nature, since as mentioned its highly unlikely all the DVRs and CCTVs that are already impacted by Mirai or have yet to be infected will be sent back to the manufacturers, nor would the software running the device be easily patchable by Xiongmai.

Of course, the fact that this time the issue was caused by ancient industrial class IoT devices doesn’t mean that owners of IoT devices in the home should be complacent, since there have been well documented reports of devices as innocuous as baby monitors being targeted for attacks. The current IoT market was worth $600 billion back in 2014 and of course this number will only increase over time, meaning that in addition to devices that logically could or should be connected to the internet, we are going to see a rise in devices that make little sense being thusly connected, such as washing machines, ovens and similar. In an age where companies such as Google, Microsoft and Apple have trouble securing their systems smaller firms such as those who manufacturer IoT devices are just as, if not more likely to run into security issues over time. Combine this with the fact that the OS run on these devices often ends up remaining unpatched by the manufacturers, even after critical flaws are discovered and its clear to see why these devices have the potential to be utilised as part of a botnet.