8. MIRAI
• What makes these attacks so scary is not the
level of sophistication of the malware itself, but
actually its lack of sophistication in how it gains
control of IoT devices.
• The source code or Mirai is available:
• https://github.com/jgamblin/Mirai-Source-Code
• Mirai and the related Bashlight malware make
use of default usernames and passwords
9. SCANNER.C
• This Mirai source code file scanner.c
lists a combination of 62 default user
names and passwords
• Sophos estimates that this simple list
of passwords is enough to
compromise hundreds of thousands
IoT devices
User Name Password User Name Password User Name Password
root xc3511 admin 1111 root zlxx.
root vizxv root 666666 root 7ujMko0vizxv
root admin root password root 7ujMko0admin
admin admin root 1234 root system
root 888888 root klv123 root ikwb
root xmhdipc Administrator admin root dreambox
root default service service root user
root juantech supervisor supervisor root realtek
root 123456 guest guest root 0
root 54321 guest 12345 admin 1111111
support support guest 12345 admin 1234
root (none) admin1 password admin 12345
admin password administrator 1234 admin 54321
root root 666666 666666 admin 123456
root 12345 888888 888888 admin 7ujMko0admin
user user ubnt ubnt admin 1234
admin (none) root klv1234 admin pass
root pass root Zte521 admin meinsm
admin admin1234 root hi3518 tech tech
root 1111 root jvbzd mother fucker
admin smcadmin root anko
10. OWASP IOT TOP 10
Vulnerability Rank Vulnerability Name
1 Insecure Web Interface
2 Insufficient Authentication/Authorization
3 Insecure Network Services
4 Lack of Transport Encryption/Integrity Verification
5 Privacy Concerns
6 Insecure Cloud Interface
7 Insecure Mobile Interface
8 Insufficient Security Configurability
9 Insecure Software/Firmware
10 Poor Physical Security
12. WHERE IS ALL MY DATA?
• Organizations should have a map of where all of their data assets are
and where their data flows to
• This effort needs involve more than just IT. A surprising amount of
sensitive data may not be under the control of IT (HR, Finance, etc)
• Finance sending data to an external vendor for revenue cycle
management or collections
• Paper based records such as a morgue logbook may still have PII
• Shadow IT, BYOD, etc
• This map should include data collected and distributed by IoT
devices like security cameras, medical devices, etc.
13. INTERNAL FIREWALLS, NETWORK
SEGMENTATION, INTERNAL IDS
• Traffic to and from IoT devices should be isolated as much as possible from the rest of
your network – VLANs, ACLs, etc.
• In healthcare it is becoming common to place a firewall in front of network enabled
medical equipment to restrict traffic flows
• IDS and threat detection is not just a good idea at the perimeter – it should be used to
examine internal traffic as well
14. ZERO TRUST
• With increasing virtualization of
servers and desktops security at
the virtual machine level should
not be ignored
• Software Defined Networking
and security products like NSX
and Hyper-V network
virtualization make approaching
zero trust networks more feasible
15. TOP 10 IOT SECURITY CONTROLS
FOR IOT DEVELOPERS
• No default passwords or hardcoded passwords post initial setup
• Account Lockouts after 3-5 failed logins
• Password complexity filters
• No unsecured connections
• No administrative access on internet facing interfaces
• Network level access controls
• Update Mechanisms
• Encryption at rest
• Differing account access levels
• Privacy by Design Principles
http://www.codeguru.com/IoT/
understanding-iot-security-for-
iot-developers.html
16. HOW DO WE GET
MANUFACTURERS TO CARE
• Consumers need to put economic pressure on manufacturers to produce
secure devices
• Customers need to vote with their wallet and not purchase products that
cannot be properly secured
• The average consumer does not know enough about security to make good
decisions as to which products are secure and which are not
17. IOT NUTRITION LABEL
Makes it easy for non-
savvy consumers to
compare the security of
IoT devices
If enough industry
backing can be gained
where the use of such
labelling becomes
commonplace vendors
will strive to eliminate red
Xs from their label