Learning from major cyber security incidents
Learning from major cyber security incidents

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

Free course

Learning from major cyber security incidents

4.2 How did it work?

Many consumer connected devices (sometimes known as IoT device) are built on an off-the-shelf embedded open source Linux platform, such as the Busybox. These devices are designed to be low cost and plug-and-play (easy to use).

To compete for the market, manufacturers often focus their designs on functionality and ease of use rather than security. To allow the convenience of remote controlling these devices, a standard server is often embedded and turned on by default so that users can control these devices anywhere once they are powered on and connected to the internet. The two commonly used servers are based on Teletype Network (Telnet) and Secure Shell (SSH), which are network protocols for providing a remote terminal to control a computer system. From this terminal, a user can completely take control of the computer, including the ability to download, install and execute software. SSH is more secure than Telnet as it uses encryption to protect the transmission of the data. However, as many of these IoT devices use default factory usernames and passwords, which can be found by a web search, even SSH’s encryption cannot protect against unauthorised access.

The Mirai malware exploits this remote control feature and uses it to take control of the connected devices. The botnet owner starts by installing the Mirai botnet software on a master computer, which will have overall control of the botnet. The software will continuously scan the internet using random IP addresses on ports 22 and 23, which are the default network ports for the SSH and Telnet servers respectively.

Once a victim is identified, Mirai will try and log in to their SSH/Telnet server using a list of known default usernames and passwords for commonly used consumer connected devices. After logging in to the device, the malware will record the device’s IP address, remote server type, username and password on its master computer for future reference. It will then download a copy of the Mirai malware and execute it on the victim’s computing system, which then becomes a part of the botnet and also scans the internet to find more victims. To ensure it has exclusive control of the device and to prevent other botnet malware from exploiting it, the malware will also close the ports for the SSH and Telnet servers and open secret ports for exclusive remote control of the device.

As these computing devices are usually running on fixed firmware, the malware cannot be installed on the device’s operating system. This means the malware will be erased if the device is rebooted. However, the malware keeps a record of its connection information at the master computer, so if a device is rebooted the master computer can attempt to reconnect to it quickly using the recorded connection information.

As mentioned before, a traffic volume of 20–40 Gbit/s is usually sufficient to bring down an ordinary website. In the Dyn attack, the Mirai botnet was thought to have control over 450 000 devices, each of which could generate 1–30 Mbit/s of traffic. This enabled the botnet owner to attack a website with hundreds of gigabits per second of traffic, which is enough to bring down even a well-protected company such as Dyn (Xander, 2016).

Another strength of the Mirai botnet is that it consists of devices randomly distributed all over the world. This randomness makes it very difficult to defend against a DDoS attack: because there is no apparent pattern to the traffic, it is hard to filter out the unauthorised traffic from the legitimate traffic.

Activity 12

Timing: Allow about 15 minutes

Based on what you have learnt about the Mirai malware, what are the basic measures you should put in place to secure your connected devices?


To prevent your connected devices from being used as part of a botnet, you should at least do the following:

  • Change the device’s default login name and password to something you can remember but would be hard for someone else to guess.
  • If you are not intending to remotely access these devices using Telnet and SSH, ensure your firewall blocks all incoming connections to ports 22 and 23.

The following two points were not covered in the study material fully, so you are not expected to have picked them up. However, they are also basic measures to prevent IoT devices from being attacked:

  • Check and update the firmware of your connected devices regularly.
  • If your internet connection has become slower than usual, disconnect all the connected devices to see if the connection speed improves. If it does, there may be a problem with one of the connected devices.

Take your learning further

Making the decision to study can be a big step, which is why you'll want a trusted University. The Open University has 50 years’ experience delivering flexible learning and 170,000 students are studying with us right now. Take a look at all Open University courses.

If you are new to University-level study, we offer two introductory routes to our qualifications. You could either choose to start with an Access module, or a module which allows you to count your previous learning towards an Open University qualification. Read our guide on Where to take your learning next for more information.

Not ready for formal University study? Then browse over 1000 free courses on OpenLearn and sign up to our newsletter to hear about new free courses as they are released.

Every year, thousands of students decide to study with The Open University. With over 120 qualifications, we’ve got the right course for you.

Request an Open University prospectus371