The Department of Homeland Security (DHS) said Monday it is working to “develop a set of strategic principles for securing the Internet of Things.”

DHS made this announcement in the wake of last week’s distributed denial of service attack on Dyn, which led to outages on popular websites, including, Amazon, Twitter, Paypal and others. The bot-laden attack involved the manipulation of infected IoT devices, which were turned into armies of zombies used to attack the servers hosting the sites.

The attack involved more than one million devices, including surveillance cameras and home entertainment systems. The malware used in this attack is known as Mirai, which compromises IoT devices connected to the internet.

On October 14, DHS issues a security alert about the threat posed by Mirai and other botnets, following the release of the Mirai source code into the wilds of the internet. The Mirai malware continuously scans the internet for vulnerable IoT devices, which are then infected and used in botnet attacks.

Another botnet, named Bashlite, belongs to another malware family responsible for other IoT botnet attacks, though the source code for this strain has not been made public. IoT devices still carrying their default passwords are most vulnerable to compromise, and can be easily exploited by the increasing number of botnets being generated continually.

DHS’s US-CERT gives the following mitigation steps:
In order to remove the Mirai malware from an infected IoT device, users and administrators should take the following actions:

  • Disconnect device from the network.
  • While disconnected from the network and Internet, perform a reboot. Because Mirai malware exists in dynamic memory, rebooting the device clears the malware.
  • Ensure that the password for accessing the device has been changed from the default password to a strong password. 
  • You should reconnect to the network only after rebooting and changing the password. If you reconnect before changing the password, the device could be quickly reinfected with the Mirai malware.

Preventive Steps

In order to prevent a malware infection on an IoT device, users and administrators should take following precautions:

  • Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
  • Update IoT devices with security patches as soon as patches become available.
  • Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
  • Purchase IoT devices from companies with a reputation for providing secure devices.
  • Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
  • Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected.
  • Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.
  • Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.

Homeland Security convened a conference call on October 21 – the day of the attack, with about “18 major communications services providers” to share information about the incident. The attack has been mitigated, according to DHS.