SecureMac, Inc.

Kaiji malware: a new IoT threat

May 13, 2020

Security researchers have discovered a new family of malware, dubbed “Kaiji”, that targets Internet of Things (IoT) devices and Linux servers.

Kaiji malware: a new IoT threat

Security researchers have discovered a new family of malware, dubbed “Kaiji”, that targets Internet of Things (IoT) devices and Linux servers.

In this short article, we’ll tell you what you need to know about Kaiji, show you how to stay safe, and try to answer common technical questions about IoT security.

What is the IoT?

The Internet of Things, or IoT, refers to the rapidly growing network of smart devices spread out around the world. The IoT consists of every imaginable type of smart “thing”, from TVs and home security cameras to coffee pots, children’s toys, and running shoes. 

So just how big is the Internet of Things? It’s estimated that there are over 20 billion smart devices around the world today, with that number predicted to more than double over the next 10 years.

And like any connected device, an IoT “thing” can be attacked by hackers. Given the proliferation of smart devices, that’s a lot of potential targets for the bad guys.

What does Kaiji do?

According to the researchers who discovered Kaiji, the malware is designed to infect as many IoT devices and Linux servers as possible, in an attempt to create what’s known as a botnet. Botnets are networks of Internet-connected devices that have been infected with malware. Hackers use botnets to carry out different kinds of malicious activities.

In the case of Kaiji, the end goal was to create a botnet capable of launching Distributed Denial of Service (DDoS) attacks. In a DDoS attack, compromised devices all send some form of bogus network traffic to a designated target at the same time. For example, they may send connection requests, but then ignore the target system when it attempts to answer them. The flood of spurious requests ties up the resources of the target system. If the botnet is able to send enough traffic to overwhelm its target, legitimate users will be prevented from accessing the services they need. 

How does Kaiji infect its targets?

Kaiji uses SSH brute-forcing to infect its targets. Let’s break down what that means.

SSH, also called Secure Shell, is a protocol used for remote logins from one computer to another. It’s often used by system administrators to create secure connections to a remote machine. 

The idea of a protocol that allows someone to log in to a device remotely may seem scary, but skilled users can take steps to make SSH safe. For example:

  • They can create a strong, unique SSH login password or, better yet, require SSH key-based authentication, which is far more secure. 
  • They can set their system up to receive SSH connection requests on a non-standard network port. Typically, SSH runs on network port 22, and if an automated malicious program is looking to create an SSH connection to a device on a network and is unable to do so on port 22, it will likely move on to another target.
  • They can completely disable SSH logins for the root (administrative) account, to reduce the risk of a bad actor abusing SSH to take control of the entire network. 

SSH brute-force attacks look for systems that have taken none of these precautions. They scour the web for devices with publicly exposed SSH ports (ports that accept login requests from anyone and everyone over the Internet) and that are “protected” by weak passwords — either default passwords like “admin” or common bad passwords like “123456”. This is what Kaiji does, in an attempt to access vulnerable root user accounts via SSH.

How to stay safe from Kaiji (and other IoT threats)

First, some good news. According to the researchers who discovered Kaiji, it still appears to be in the development phase. So for the moment, there’s probably no imminent danger. But that’s not to say that Kaiji won’t become a more serious threat in time — and there are certainly plenty of other IoT security issues to think about. 

With that in mind, here are five basic precautions you can take to secure the smart things in your home or office:

  1. 1

    Always change default passwords on IoT devices and WiFi routers. Many people simply stick with the factory default credentials, which gives the bad guys an easy way onto your network. Just as you would do with other accounts and services, make sure you create strong, unique passwords for your smart things and routers.

  2. 2

    Hunt for quality when buying smart devices. The IoT device marketplace is notorious for its shoddy security standards. Far too many manufacturers rush to get products onto store shelves without giving much thought to safety. Shop for smart things that are made by established vendors who have a reputation for robust security and dedicated support.

  3. 3

    Regularly update the firmware on your routers and IoT things. These devices receive security patches from their manufacturers just like your OS and your apps do, so enable automatic updates whenever possible or, failing that, schedule some time to run manual updates at regular intervals.

  4. 4

    Keep your IoT devices off of the Internet, and keep them on a different network from the one you use for your computers and mobile devices (anything that contains sensitive data). Most routers have some sort of firewall that can be used to shield devices from the Internet. Similarly, many routers allow you to set up a Virtual Local Area Network (VLAN), which acts as an isolated subnetwork to your main network. That way, even if an IoT device is compromised, it still won’t affect your most important data.

  5. 5

    If you’re feeling somewhat technical, check out the web interface for all of your IoT devices to see if remote login services like Telnet and SSH are enabled. If so, consider switching them off if you don’t anticipate using them.

Kaiji isn’t the first IoT threat, and it won’t be the last. But by taking commonsense measures to lock down your connected devices and networks, you can greatly improve your security posture — and the chances that the next strain of IoT malware will pass you by in search of an easier target!

Get the latest security news and deals