Fixing the average internet user s IoT Vulnerabilities Calvin Hendriks University of Twente P.O. Box 217, 7500AE Enschede The Netherlands

Transcription

1 Fixing the average internet user s IoT Vulnerabilities Calvin Hendriks University of Twente P.O. Box 217, 7500AE Enschede The Netherlands c.hendriks@student.utwente.nl ABSTRACT For the last couple of years, the Internet of Things (IoT) has grown rapidly. Often, the objects connected to the IoT contain security vulnerabilities, which can be exploited to perform Distributed Denial of Service (DDoS) attacks. The problem is that most of these devices are owned by non-technical skilled users which do not know their devices are comprised and, if known, do not know how to act in order to protect them. This paper aims to raise the awareness of the average Internet user on the misusage of their IoT devices to perform DDoS Attacks. We propose an easy to use methodology that enables non-technical users to discover the vulnerabilities in their IoT devices and protect themselves against them. Keywords Internet of Things, DDOS attacks. 1. INTRODUCTION The Internet of Things (IoT) is a concept in which everyday objects, especially ones not considered computers (e.g., smart thermostat, health monitor, IP-camera) generate and exchange data through the Internet. It has been estimated that a total of 20.8 billion devices will be connected by By that time, consumers and enterprises combined will have spent 3,010 billion Dollars on connected 'things' [7]. Although very beneficial for the economy, this growth also brings some problems. Studies and events have proven that IoT devices were not essentially designed to provide secure communication. A study by a large IT company, Hewlett- Packard, showed that 70 percent of the world s most commonly used IoT devices contain serious vulnerabilities [9]; 10 of the most commonly used IoT devices were tested and on average, they contain 25 vulnerabilities. Among the tested devices were smart thermostats, sprinkler controllers and door locks. DDoS attack is an attack against an online service by overloading it with requests, attempting to make the service unavailable to users. The last couple of years, we have already seen an increase in the number and size of DDOS attacks using IoT devices. The attack on Domain Name Service (DNS) provider Dyn in 2016, for example, was the largest DDoS attack on record. [16] This made online services and platforms such as BBC, Netflix, PayPal and Twitter unavailable for hours. The New Jersey Cybersecurity and Communications Cell (NJCCIC) released a document stating botnets formed by compromised IoT devices almost certainly will lead to more frequent, more disruptive DDoS attacks, many of which will initially lack a clear motive behind the selection of targets. In this document, they also give some recommendations on how to prevent IoT devices from being compromised. They include actions like changing default s, updating IoT devices with security patches and disabling Universal Plug and Play (UPnP) on routers. [15] The recommendations from NJCCIC in the previous sections have proven to be difficult for the average internet user however. A survey by security technology vendor Bullguard shows that 72 percent of the 6000 respondents does not know how to configure a router to keep their home network secure, even though 63 percent described their computer skills as intermediate or advanced [3]. While the market for smart devices is growing, people are mostly only aware of these dangers in older devices like laptops, tablets and mobile phones. As shown in Figure 1, only 20 percent of consumers is aware that these risks also come with drones, as opposed to 76 percent for laptops. [10] The fact that these devices are so poorly secured has led to some alarming situations. The FBI has already put out an alert [5] stating that the IoT increases the target space for malicious cyber actors. One of the biggest uses of IoT devices to cyber threat actors is their ability to participate in a DDoS attack. A Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. 27 th Twente Student Conference on IT, July 7 th, 2017, Enschede, The Netherlands Copyright 2017, University of Twente, Faculty of Electrical Engineering, Mathematics and Computer Science. 1 Figure 1 Consumer awareness regarding vulnerabilities [10]. Even though a quick google search like protect IoT devices gives about results, most people are unaware of these vulnerabilities to begin with or they are not able to follow the

2 instructions or install the program. This paper aims at making the average internet user aware of the vulnerabilities in their IoT devices by proposing an easy to use script which, once given consent, scans a network for common vulnerabilities and automatically tries to patch theses exploits when possible. The user can volunteer to have this script scan their network by registering on a website. However, it must be certain that unintended users who falsify the identity of volunteers cannot exploit this website. In order to achieve the goals stated in the previous section, the following research questions (RQ) will be addressed: RQ 1. What vulnerabilities in IoT devices are commonly exploited in DDoS Attacks? RQ 2. How can computer novices discover these vulnerabilities and protect themselves. RQ 3. How can the identity of an online user be guaranteed? 2. RELATED WORK Veerendra G.G [23] gives examples of how dangerous vulnerabilities in IoT devices can be and finishes with steps that vendors and customers could take to improve their IoT device security. However, as mentioned before, these steps have proven to be difficult to follow for the average internet user. Tianlong Yu et al [25] list known vulnerabilities in IoT devices and deliver a concept, which uses micro middleboxes to protect IoT devices. Although we support this idea, it requires an extra piece of hardware, which difficults their deployment. Furthermore, the average internet user will not have the skills to configure these micro middleboxes and therefore many devices will be left unprotected. Multiple companies in the field of IT-security have already released scanners that check networks for vulnerabilities in IoT devices [20]. Although these scanners are often not for all platforms, and difficult to use and/or understand for the average internet user, we can use them to compare results with our own script. This paper contributes to the field of IoT device protection by delivering a service that is easy to use for all internet users, and aimed especially at those with no computer skills. 3. BACKGROUND 3.1 Internet Protocol Suite The internet protocol suite, also called TCP/IP (The original protocols in the suite), is a set of communication protocols used on computer networks such as the internet. It consists of four layers [14]. Application layer Transport layer Internet layer Link layer Application layer The application layer consists of Application protocols such as the Hypertext Transfer Protocol (HTTP), the File Transfer Protocol (FTP) and the Simple Mail Transfer Protocol (SMTP). The Application layer is responsible for communication between a program and the transport layer. Communication between the Application layer and transport layer goes through a port. Standard application protocols always use the same port (i.e., HTTP uses port 80 and SMTP uses port 25) Transport Layer When a user is sending data, the transport layer receives data from the Application data and divides this data into several data packets. Data is added to these packets in the form of a header and send to the Internet Layer. This header contains important control information, such as source and target port numbers. When receiving data, the transport layer receives data from the Internet layer. Before sending the data to the Application layer, the transport protocol reads the header to know which port it needs to send the data. The most common protocol in this layer is the Transport Control Protocol (TCP). This protocol also checks if the received packets are intact and puts them in the correct order when necessary. Before any data can be transmitted, a connection must be established through a three-way handshake Internet layer When sending data, The Internet layer receives the packets from the transport layer and divides them into datagrams. Like the transport layer, the internet layer ads a header to the datagrams. The most important information in these headers are source IP address and target IP address Link layer The link layer is responsible for sending the data over a physical medium to another system. A commonly used protocol in this layer is the Address Resolution Protocol (ARP). ARP is responsible for translating an internet layer address (e.g. an IP address) to a physical address like a media access control (MAC) address. 3.2 Router An IPv4 address consists of 32 bits and this makes a total of 2 32 addresses possible, which is only around 4.2 billion. As mentioned before, it has been estimated that in 2020 around 20.8 billion devices will be connected to the internet, so there are insufficient addresses the give each device connected to the internet a unique IP address. To solve the limited amount of IP addresses, Internet Service Providers (ISP s) provide most households only one public IP address and a router in the household utilizes a method called Network Address Translation (NAT) to forward packets received on the public address to the correct device in the network. This device (and the others connected to the router) has its own private IP address assigned by the router. All the devices served by the router form a Local Area Network (LAN). Therefore, a private IP address is also called a LAN IP address. When one of these devices wants to connect to something on the internet, i.e. a website, it sends a request to the router. The router reads the IP and TCP headers and changes value of the source IP address to the public IP address of the router and changes the source port value to a random chosen port number. It then sends the datagrams to the destination IP address defined in the IP header. The webserver sends its response to the routers public IP address and port that the router chose. The router recognizes the port number in the datagrams (the one it randomly chose) and sends the datagrams to the correct LAN IP address. If a router receives datagrams that are not requested by any of its connected devices, it does not know where to send it to, so it 2

3 can only discard it. In this case, the routers acts as a kind of firewall Port forwarding If a device in the local network does want to receive data from outside the network, port forwarding should be set up on the router. Port forwarding redirects a request from one address and port combination to another. For example, a router with public IP address has a connected web server with private IP address listening on port In order to receive HTTP request on the webserver, the owner of the router would have to make forwarding rules that tell the router to send all incoming datagrams with destination port 80 and destination IP Address to port 8080 of the device with IP address IP spoofing IP spoofing is the act of changing IP source addresses in the IP datagrams sent to a target [24] and is a potential problem for our website. The script we propose uses the IP address in the IP datagrams received from the client to determine which network it scans. If an attacker is able to communicate with our website using a spoofed IP address, he/she could scan a network that is not theirs. However, due to the way TCP establishes a connection, this is almost impossible TCP three-way handshake As mentioned before, before any data is transmitted through a TCP connection, a three-way handshake is required between the client and the server. The TCP header attached to every packet the protocol sends contains a source port number, target port number, sequence number, acknowledge number and a code bit. (It actually contains more, but this is not relevant for the scope of explaining the handshake). The code bit is 6 bits long and. each bit acts as a flag that indicates the nature of the header. The three-way handshake typically looks like this: 1. When a clients wants to establish a TCP connection, it sends a SYN packet (a packet with the SYN bit value set to 1) to the server with a random initial sequence number (ISN) and a acknowledge number of 0. The ISN in figure 2 is If the server is listening, it responds with an SYN/ACK packet (SYN and ACK bits set to 1) that has the servers own ISN and an acknowledge number of the clients ISN plus one. 3. The last step in the three-way handshake is a packet send by the client with an sequence number of the received acknowledged number and an acknowledge number of the received ISN plus one [1]. Figure 2 The TCP three-way handshake [1] An attacker that spoofed the source IP address will not receive the ISN created at the server side because the server will send the packets to this spoofed address. In order to complete the handshake, the attacker has to guess the ISN. The feasibility of such a prediction depends on the mechanism that is used to generate the ISN. In the past, these mechanisms were quiet simple and predicting the ISN was possible. Therefore, completing the handshake with a spoofed IP address was possible. However, newer operating systems use a pseudorandom number generation algorithm to generate the ISN and predicting the ISN created by this algorithm is extremely difficult [8]. As a result, it is nearly impossible to complete the three-way handshake with a spoofed IP address. 4. IOT VULNERABILITY ANALYSIS In order to identify the vulnerabilities in IoT devices, we analyze the way Mirai exploited vulnerabilities in the devices it used to orchestrate a DDoS attack on DNS provider Dyn in October Furthermore, The Open Web Application Security Project (OWASP) Foundation has created a Top 10 of the most common vulnerabilities in IoT devices [17] and we match, when possible, the vulnerabilities used by Mirai to the ones identified by OWASP Insecure Web interface Number one on the OWASP list are insecure web interfaces. Even though Mirai did not interact with any web interfaces directly, it did exploit a vulnerability that OWASP places in this category; lack of account lockout. This means hackers can try one username with different s an unlimited number of times (brute forcing) since the username is not locked out. When account lockout is implemented, authentication attempts are simply blocked after a number of failed attempts. Mirai performed a dictionary attack on its targets using a list of 60 known default credentials [22]. The list of credentials can be found in Appendix A. If account lockout was implemented on the targets it acquired, the attack could have been blocked if the first couple of hits were not a match Insufficient Authentication/Authorization The biggest vulnerability that users can solve themselves is insufficient authentication. The main problem that causes insufficient authentication is the use of weak s like 1234 or and the use of default s as this makes it very easy to guess s. This can be prevented in a number of ways. The easiest is of course to use stronger s that include symbols, numbers and a combination of lower and upper case letters. Although the default username and can be changed in the device s web interface most of the time, this does not always change the credentials used for SSH and Telnet connections. Sometimes there is no way for a user to change the SSH/Telnet login credentials [11]. This is a very serious issue and can only be fixed through a software update. As stated before, Mirai uses a list of 60 known default credentials to gain access to IoT devices. If users had simply changed the default to a more complex the malware would not have been able to compromise so many devices since brute forcing a strong will take up more time and is often less successful then a dictionary attack Insecure Network Services Often, IoT devices have services listening to one or multiple of their ports.these ports include; port 22(SSH), port 23(Telnet), port 80 (HTTP) and port 443(HTTPS). At first, this does not seem like a problem, since most consumers connect their IoT device to a router which gives the device a Network Address Translation (NAT) address. This address cannot be directly reached from the internet. 3

4 However, IoT devices come shipped with Universal Plug and Play (UPnP) enabled by default. This protocol enables the device to ask a router (which also supports UPnP) to automatically forward a port. This means that this device can receive any package that is sent from to internet to this port [11]. This feature is turned on by default because users may want to access their device from outside of their network. E.g. to check their IP cameras when they are on a holiday. When a user does not wish to access the device remotely, UPnP should be turned off. Mirai scans the internet for devices that are reachable through port 23, the port used for the Telnet protocol. 5. SYSTEM DESCRIPTION To protect the average internet user against malware like Mirai, we propose a script that, once a user has given consent, scans a user s network for open ports and if they are found, tries to establish an authenticated connection using a file of default credentials. When a connection can be made, it then tries to change the current that it found into a much stronger. To make this script accessible to even the least computer skilled user, we make it available on a webpage with just a click of a button. In this section we will discuss the components that are used in order to make this possible. 5.1 XAMPP XAMPP is a cross-platform Apache distribution containing MariaDB, PHP and Pearl [19]. We use the Apache webserver to host our website and MariaDB to store our website s user login credentials. If users find any default credentials on their devices and decide to let our website change them, they are also stored in the database. 5.2 phpsecurelogin In order to link the results from the script, such as changed s, to the correct user we need a login system. phpsecurelogin is a open source PHP project that provides login functionality [2]. When users register on the registration page, their s are hashed with a random salt and stored in the MariaDB. Furthermore, it also provides an antibrute force feature as it blocks users from logging in for 2 hours after 5 failed login attempts. Using this code, it is possible to display different elements on a webpage depending on the login status of a user. I.e., if users are not logged in, they cannot use scan their network because a login button is displayed rather than the scan button. For an example, see Appendix B. 5.3 Nmap In order to detect open ports on the network of a client, we use a program called Nmap [12]. Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. It was designed to rapidly scan large networks, but works fine against single hosts [16]. When a registered user is logged in and clicks on the scan button on the home page, a PHP script on the server is executed. This script gets the IP address of the client and gives it as an argument to Nmap. The results of Nmap are then displayed on the website. If the results contain the numbers 22 or 23 (ports associated with SSH and telnet protocols) and/or the words telnet or SSH, a button is displayed on the website. This button leads to another page where the client can run a script that scans for default s. See Appendix B for more details. 5.4 PHP Telnet. PHPTelnet is a freeware script that is able to create telnet connections from PHP scripts [18]. In order to safe time, we used an already existing class to make a telnet connection to the previously acquired IP address and try to login using a set of default credentials. When a correct set of credentials is found, the script performs the passwd command, which lets the authenticated user change the. We set the to a random generated string which is encrypted and stored in the MariaDB database. For encryption and decryption of the s, we use the MariaDB AES_ENCRYPT() and AES_DECRTPY() functions. 5.5 PHP Secure Communications Library PHP Secure Communications Library is an open source PHP library that contains classes that enable SSH connections through a PHP script [4]. We perform the same actions as described above only this time through a SSH connection. 5.6 PHPMailer When users want to retrieve their devices new, they can do so on the request page. This page has a button that links to the open source PHPMailer script [13]. This script gets the user id from the current session and gets the address stored in the database. If there is a device stored there, it will be mailed to the corresponding address. 6. SETUP AND EXPERIMENT To test the website and the script a number of experiments where performed on different IP addresses and different operating systems. Three volunteers were contacted and asked if we could connect a laptop to their network to test the performance of our script. This laptop could dual boot Kali Linux and Windows 10 Operating systems. On Both OS s was a Telnet, SSH and Webserver installed. Most hacked IoT devices have UPnP turned on and are therefore reachable from the internet. To mimic this behavior the volunteers were asked to forward ports to our laptop in their router. Furthermore, a test user account was created on the both operating systems with a chosen from the list that our script checks. 6.1 Port Scan results After the laptop was connected and the servers were up and running, our website and two other vulnerability scanners on the internet were visited to see which ports where discovered by the different websites. The websites were visited twice per network. The first time, the SSH and Telnet server were listening on their default port (22 and 23 respectively). The second time however, we instructed the Telnet server to listen to port 234 and set the SSH server to listen to port 333 to see if the scanners would also find non-default ports. The first scanner we tested was Bullguard s Internet of Things scanner. This scanner checks if any of the user s devices is on Shodan. Shodan is a search engine for the Internet of Things. It scans all the existing IPv4 addresses and reports if there is any port listening on them. Since there are around 4 billion IPv4 addresses, this takes some time and therefore a device with an open port does not show up on Shodan immediately. If Bullguard does not find the user s IP address on Shodan, the user can do a deep scan. It is not explained on the website what kind of scan this is exactly. The second scanner we 4

5 tested was the Mirai Vulnerability Scanner by Incapsula. However, due to problems explained in the next section, the results from these tests could not be measured. The results from Bullguard s deep-scan and our website can be found in Figure Figure 3 Port Scan results Bullguard Proposed Website 6.2 Password Scan results When the SSH or Telnet servers were found, we performed a scan on our website. For each combination of network, operating system and communication protocol, a scan was performed three times. The first scan had the correct at the top position in the list that the script goes through. For the second scan, the correct was placed in the middle of the list (30 th entry) and for the last scan the was placed at the end of the list. OS Table 1. Telnet scan results Network Number Time (s) For 1 st Time (s) For 30 th Table 2. SSH scan results Time (s) for last Linux Linux Linux OS Network number Time (s) to find 1 st Time (s) to find 30 th Time (s) to find last Windows Windows Windows Linux Linux Linux DISCUSSION As we can see in the results, Bullguard s scanners did not show all open ports on a user s device. It is hard to find an explanation for this, since we do not have access to the source code of Bullguard s scanner. Incapsula s Mirai Vulnerability Scanner does not show any open ports at all. Instead, it only informs the user that a device is found on the network that is vulnerable to Mirai injection attacks (Appendix C). The results also show us that our website showed all open ports, at every scan performed. Although the port scanning on our website worked flawlessly, a problem did occur when scanning for default s. As can be seen in table 1, there results for the scan through a SSH connection with a Windows machine are much faster than the results for the same scan on a Linux machine. The reason for this lies in the commands executed in the SSH command line interface. When a SSH connection can be established, the script tries to execute the passwd command, which is a Linux command that changes the user s. After the passwd command, the Linux machine asks for the old and twice for the new. This step-bystep process takes a significant amount of time because the Linux machine needs to verify if the supplied old s is indeed the old and the two new s match. However, the script does the exact same thing for the Windows machine and gets a command not found response every time because passwd is not a windows command. Therefore, the machine does not ask for the old and new s and all responses from our webserver are seen as a new command and are not recognized. As a result, the script is executed much faster when communicating with a Windows machine. Meanwhile, since the script found a default and has executed the passwd command, the script exits, and informs the user that the has been changed. Furthermore, there are no results for a scan on a Windows machine through a Telnet connection, as can be seen in table 1. This is the result of the response that the windows telnet server sends when a login attempt is made. The response consists of a very large number of special characters, which causes the PHPTelnet script to function abnormally. The PHPTelnet script returns a successful login for every login attempt and therefore it is not possible to check if default credentials are used on the device. However, over 73 percent of IoT devices runs on the Linux operating system, compared to just 9.5 percent for windows [21]. Finally, when comparing the results from s scan on a Linux system in both tables, a clear speed difference between both protocols is noticeable. While in the first column the results are much faster for the telnet connection, the telnet script takes a much longer time to complete when the is at the middle or the end of the list. As the name already implies, Secure Shell is much more secure as it encrypts all transmitted data. However, this security mechanism takes up room in the packets and therefore a lot more bandwidth is used compared to Telnet, which sends the data in plaintext. As a result, using the SSH protocol is supposed to be noticeably slower than the Telnet protocol. Yet, the results show us that the SSH script is executed much faster when the s are in the middle or at the end of the list. Furthermore, The difference between the time to find the 1 st and the time to find the last is much larger when using the Telnet protocol (+/ 425 seconds) compared to using the SSH protocol (+/ 124 seconds, ignoring the windows results). This implies that while executing the commands for changing the are executed faster, the script that uses the telnet protocol takes much more time per authentication attempt than the script that uses the SSH protocol. This could be the result of the Linux Telnet Server or the way that the PHPTelnet script handles authentications. To keep the user informed on the status of the 5

6 script, a progress bar is showed while the scan is executed (See Appendix B). 8. CONCLUSIONS When comparing the results from Bullguard s and Incapsula s IoT Scanners against our own website we can conclude that existing vulnerability scanners are not performing as expected, while our website is evidence that it is technically possible to deliver these expectations without an advanced setup. Furthermore, none of the current scanners on the market features the ability to change s. The results show that we can scan a device against a list of over 60 default credentials and change these s within a reasonable timeframe using the SSH and Telnet protocols. This answers research question 2 to a great extent. While the vulnerabilities are limited at default credentials and open ports, our script proves that it is possible for computer novices to discover vulnerabilities in their IoT devices and protect themselves against them with just the click of a button. Furthermore, research question 1 is answered in section 4 by analyzing the common vulnerabilities in IoT devices and explaining how the Mirai exploits them. Finally, research question 3 is answered in the background section where the TCP three-way handshake, which guarantees the identity of our users, is explained. To make the website more effective, the website should be able to change s on operating systems other than Linux and use more protocols than Telnet and SSH. Although changing default s will prevent most hacks that are performed on a large scale, there are a lot more vulnerabilities that hackers can exploit to gain access to devices. Therefore, more research has to be done on how to enable the average internet user to protect themselves against more specific vulnerabilities (e.g. device specific vulnerabilities). 9. REFERENCES [1] Beardsley, T. A., & Qian, J. (2010). The TCP Split Handshake: Practical Effects on Modern Network Equipment. Network Protocols and Algorithms, 2(1), [2] Bradley, P. (2013). phpsecurelogin. Retrieved June 13, 2017, From [3] BullGuard Limited (2016). Despite Fast Adoption of Internet of Things, A Shocking 72 Per Cent Of Consumers Don t Know How To Secure Their Connected Devices. Retrieved March 13, 2017, From [4] Campbell, G., Fischer, A., Monnerat, P., Petrich, H., Wigginton, T. (2011). phpseclib PHP Secure Communications Library (2017) Retrieved June 20, 2017, From [5] Federal Bureau of Investigation (2015). Internet of Things Poses Opportunities for Cyber Crime. Retrieved March 13, 2017, from [6] Gamblin, J. (2017) Mirai-Source-Code. Retrieved June 26, 2017, From Source-Code [7] Gartner Inc. (2015). Gartner Says 6.4 Billion Connected Things will be in Use in 2016, Up 30 Percent From Retrieved March 13, 2017, from [8] Harris, B., Hunt, R. (1999). TCP/IP security threats and attack methods. Computer Communications, 22(10), [9] HP Inc. (2014). HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack. Retrieved March 13, 2017, from [10] Intel Corporation (2016). New McAfee Survey Reveals Only 42 Percent of Consumers Take Proper Security Measures to Protect Their New Gadgets. Retrieved June 27, 2017, From [11] Krebs, B. (2016). Who Makes the IoT Things Under Attack? Retrieved June 27, 2017, from [12] Lyon, G. (1997) Nmap Security Scanner (Version 7.50) [Software]. Retrieved May 10, 2017, From [13] Matzelle, B. (2001). PHPMailer. Retrieved June 9, 2017, From [14] Nath, P. B., & Uddin, M. (2015). TCP-IP Model in Data Communication and Networking American Journal of Engineering Research ( AJER ). American Journal of Engineering Research, (10), Retrieved from [15] New Jersey Cybersecurity and Communications Cell (2016). DDoS: Internet-of-Things Likely to Fuel More Disruptive Attacks. Retrieved March 13, 2017, From [16] Nicky Woolf (2016) DDoS attack that disrupted internet was largest of its kind in history, experts say. Retrieved April 3, 2017, From os-attack-dyn-mirai-botnet [17] Open Web Application Security Project (2016) Top IoT Vulnerabilities. Retrieved June 27, 2017, From ies. [18] Roundy, A. (2003). PHPTelnet (Version 1.1) [Software]. Available From [19] Seidler, K., Vogelgesang, K. (2002). XAMPP (Version ) [Software]. Retrieved May 8, 2017, From [20] Sheridan, K (2016) New Free Mirai Scanner Tools Spot Infected, Vulnerable IoT Devices. Retrieved March 30, 2017 From [21] Skerret, I., (2016) Profile of an IoT Developer: Results of the IoT Developer Survey. Retrieved June 26, 2017, From [22] Van der Elzen, I., Van Heugten, J. (2017). MSc System and Network Engineering Techniques for detecting 6

7 compromised IoT devices. Retrieved June 24, 2017, from [23] Veerendra G.G. (2016) Hacking Internet of Things (IoT ) A Case Study on DTH Vulnerabilities. Retrieved March 30, 2017, From IoT-A-Case-Study-on-Tata-Sky-DTH-Vulnerabilities.pdf [24] Velasco, V. (2000). Introduction to IP Spoofing This. SANS Institute InfoSec Reading Room. Retrieved June 27, 2017 from [25] Yu, T., Sekar, V., Seshan, S., Agarwal, Y., & Xu, C. (2015). Handling a trillion (unfixable) flaws on a billion devices. Proceedings of the 14th ACM Workshop on Hot Topics in Networks - HotNets-XIV,

8 APPENDIX A. MIRAI DEFAULT CREDENTIALS xc3511 vizxv xmhdipc default juantech support support (none) user user (none) pass smc klv123 Administrator service service supervisor supervisor guest guest guest guest istrator ubnt ubnt klv1234 Zte521 hi3518 jvbzd anko zlxx. 7ujMko0vizxv 7ujMko0 system ikwb dreambox user realtek ujMko pass meinsm tech tech mother fucker B. WEBSITE B.1 Website homepage when user is not logged in 8

9 B.2 Website homepage when user is logged in B.3 Port scan result 9

10 B.4 Password scan progress bar C. INCAPSULA WARNING 10