Last month, hackers used a known vulnerability to take over closed circuit TV cameras to form botnets based on the now infamous Mirai malware.

Discovered by researchers at cybersecurity outfit Akamai, attackers used a flaw tracked as CVE-2024-7029 to take over CCTV cameras made by Taiwan-based company AVTECH. 

The issue in the brightness setting of the cameras could be exploited remotely by injecting malicious code, allowing a Mirai variant called Corona to spread.

The worst thing about this attack is, it could have been avoided. Earlier that month, the US Cybersecurity and Infrastructure Security Agency (CISA) had issued an advisory, warning about the dangers of the bug – which was apparently ignored by AVTECH: and that’s despite the fact that numerous other vulnerabilities in AVTECH are being targeted by the Mirai botnet, according to Akamai.

Mirai has been implicated in some of the biggest distributed denial of service (DDoS) attacks on record. It was first discovered in 2016, but nearly a decade later, Mirai is still causing havoc across the world.

It doesn’t take a genius to work out why; Internet of Things (IoT) devices are still largely unsecured, despite efforts from the industry and regulation aiming to change this. In many cases, the manufacturers are to blame.

IoT devices have not been historically built with security in mind and some of them are still using default passwords. Attackers are targeting these weaknesses specifically to recruit them into botnets, researchers say.

Mirai: One of the first

Mirai was one of the first botnets to target IoT devices for infection: It used weak credentials to compromise exposed devices, says Larry Cashdollar, Akamai security researcher.

“Its logic was simple and brilliant – scan the internet for IoT devices with factory default usernames and passwords, take control of them and add them to a network of bots,” says Boris Cipot, senior security engineer at the Synopsys Software Integrity Group.

Today, botnets continue to target weak or default credentials, as well as vulnerabilities in these devices. “Some botnet authors are discovering their own zero-day vulnerabilities to infect devices,“ Cashdollar explains.

Botnets are frequently used for DDoS attacks or to send unsolicited emails, often for phishing, says Richard Werner, cybersecurity platform lead, Europe at Trend Micro. “The effects of botnet attacks, especially DDoS, can be critical for businesses as they will be confronted with massive amounts of requests that will flood their systems until they are unable to accept new tasks.”

Vulnerable devices

Making things worse, attackers have a wide choice of unsecured IoT devices to infect. “A variety of devices” could be compromised by IoT botnets, says Kyle Lefton, Akamai security researcher.

One of the most commonly targeted devices, aside from CCTV cameras, is routers, says Lefton. “You may not think that taking control of some routers or CCTV cameras, or a smart home device would be particularly useful, as they lack the processing power of a computer or server. However, if a botnet consists of hundreds or thousands of these IoT devices, it can become quite effective.”

Any type of device capable of receiving and sending commands over the internet is a potential target for botnet exploitation, says Werner. This includes smartphones, cars, TVs, cameras and even household appliances, he warns.

“While all these devices have certain weak spots, botnets primarily target those susceptible to automated infection,” Werner says. “This is most commonly devices with open software, especially when manufacturers neglect security updates. Generally, the cheaper a device is, the more likely it is to have vulnerabilities, making them attractive targets for botnet operators.”

Securing IoT

It’s clear that securing IoT devices is not an easy task. While efforts have been made in recent years to ensure security by design, securing a decade old IoT unit that wasn’t built with that ethos – such as a CCTV camera – is more complex.

It is largely the fault of the manufacturers, says Callum Boal, head of security engineering at OnSecurity. “Both the initial Mirai variant, which relied on the widespread use of default credentials, and the newly identified variant targeting AVTECH CCTV cameras via a command injection vulnerability, exploit extremely simple vulnerabilities. These should have been discovered much earlier, suggesting negligence on the part of the manufacturer.”

Manufacturers need to be pushed towards designing devices with better in-built security, agrees Jamie Akhtar, Co-founder and CEO of CyberSmart. “Historically, there has been little incentive for device manufacturers to invest in the security of low-cost devices.”

This has begun to change with the UK’s consumer connectable product security legislation, which came into force earlier this year. Meanwhile, governments around the world are prioritising the secure by design principle, says Akhtar. However, he points out that in most cases, this will only affect newer devices.

Improving security in IoT requires a multi-faceted approach, starting with changing default passwords to strong, unique credentials, says Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest. “Regularly updating firmware to patch vulnerabilities is critical, as is implementing network segmentation to isolate IoT devices from sensitive systems.”

Enabling encryption for data transmission and employing robust authentication methods such as multi-factor authentication will further boost security, Morgan says.

CISOs and IoT

As long as IoT devices are exposed and easy to take over, the Mirai botnet and others like it are likely to prevail.

For CISOs a mentality of audit and replace is key. “If you have devices that can’t be secured, you need to replace them,” says Patrick Fenner, co-founder and head of engineering, DefProc Engineering.

Patching is important, but it isn't always an option for end of life devices, says Lefton. “The ideal security measure in this situation is to migrate your hardware to newer devices that aren't susceptible to some of these older vulnerabilities.”

Preventing your IoT devices from being exposed to the public internet would “certainly help”, Lefton says. “Many botnets will mass scan common endpoints and ports for vulnerable devices,” he warns.

IoT devices should be treated the same as any other system and should be subject to hardening procedures, says Boal. “All default credentials should be changed, systems kept up to date, access logged, and proper network segmentation utilised.”

Kate O'Flaherty Cybersecurity and privacy journalist