Securing IoT Devices in the Agency

In a government agency or corporate enterprise, users and administrators must ensure we are protected against malevolent ingress and hackers. Internet of Things (IoT) devices provide an ingress point to anyone wanting to compromise the network and gain access to privileged information. IoT devices are convenient for users but must be secured to prevent unauthorized access. The best way to do this is to follow agency security policy, including changing the default usernames and passwords for every device that can connect to the network. Luckily in the government world, there are enterprise-wide security policies and procedures, including access controls, such as authentication and firewalls, and VPN-enforced connections when working outside the agency network. These policies definitely include securing all networked devices. Check with your agency to ensure all security protocols and policies are being followed in the use of networked devices.

There are many problems with IoT devices and security. IoT devices (including printers) ship with a known security vulnerability, a 12-year-old SSH security flaw that is known to be apparent on most IoT devices. Ory Segal and Ezra Caltum from Akamai Technologies’ have identified the vulnerability and named it “SSHowDowN Proxy” ( ). The devices can be used against "a multitude of Internet targets and Internet-facing services, such as HTTP, SMTP and Network Scanning.” Using the devices to mount attacks against the networks they are hosted on is also common. The worst case scenario is that hackers could use these devices to completely take over compromised machines and access or tamper with data. Protecting data at rest is very important in the current enterprise environment and is prescribed in NIST 800-53 Revision 4 guidelines. The chief information officer of every agency should have security controls implemented to meet these guidelines.

Another vulnerability with IoT devices is malware called Mirai. Since 2016, there have been several large distributed denial-of-service (DDOS) attacks using networked IoT devices. The attackers can use a botnet, meaning networked devices are infected with malicious software and controlled as a group without the owners' knowledge. Mirai malware is used to remotely enslave all these devices and give them a purpose: to ping a target to create a DDOS attack. The Krebs on Security blog attack ( in October 2016 was one of the largest DDOS attacks on record at the time. According to the United States Computer Emergency Readiness Team (US-CERT), it exceeded 620 gigabits per second (Gbps).

The Mirai malware uses a list of the most common (62) default usernames and passwords, including known and published default username and password settings for the devices, to continuously scan the Internet to enslave these devices. The devices become infected and are then used in botnet attacks. The devices continuously send packets to a networked target, such as a server. The server cannot handle the volume of traffic and thus shuts down. This is a DDOS attack. End users may never know their IoT device was used in this manner.

There were also Mirai botnet attacks against Deutsche Telekom ( ) and a DNS provider named Dyn ( , which effectively shut down popular sites, including Twitter, Spotify, SoundCloud, and Shopify for about five hours ( on the East Coast of the United States. The devices affected primarily included home routers, network-enabled security cameras and digital video recorders. Monitoring traffic on port 48101 is the only way a network administrator would know if these devices are participating in a botnet attack.

An agency’s security and network specialists must work together to detect and remediate these issues. It is easier to prevent attacks than stop them mid-stream. The chief information officer of an agency from US-CERT ( should provide guidance on newly reported security vulnerabilities. Each major IT System should be on the US-CERT list and be receiving notifications. Usually a security specialist on the team will analyze the US-CERT notifications and respond with a remediation plan and a target date. US-CERT usually has a guideline for when the security vulnerability should be remediated.

The Mirai malware is programmed to hijack connected IoT devices that are using the default usernames and passwords set by the factory before devices are first shipped. The best thing a user/administrator can do is change the default settings. Change that username and password as soon as possible when configuring the device. However, if a device happens to be infected by the Mirai malware, follow these steps, as directly recommended by US-CERT:

  • Disconnect device from the network.
  • While disconnected from the network and Internet, perform a reboot. Because Mirai malware exists in dynamic memory, rebooting the device clears the malware.
  • Ensure that the password for accessing the device has been changed from the default password to a strong password. See US-CERT Tip Choosing and Protecting Passwords for more information.
  • You should reconnect to the network only after rebooting and changing the password. If you reconnect before changing the password, the device could be quickly re-infected with the Mirai malware.

Mitigation from US-CERT

To prevent an IoT device from a Mirai infection, the US-CERT also recommends these precautions:

  • Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
  • Change the default username and password on all Internet-connected devices, including printers and routers.
  • Update IoT devices with security patches as soon as patches become available.
  • Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
  • Purchase IoT devices from companies with a reputation for providing secure devices. This responsibility will fall on your Acquisition team.
  • Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, change the password and only allow it to operate on an encrypted network with a secured Wi-Fi router.
  • Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected.
  • Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.
  • Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.

Preventive Steps

By working together and following all security guidelines, both Agencies and end users can help secure networks against malevolent ingress using IoT device vulnerabilities.