How to prevent Mirai botnet and other cyberthreats to Yún


By now most of you may know the DoS attack on Oct. 21 used the help of a large botnet of IoT devices running Miria malware..

I quickly looked up if the Yún is vulnerable to such attacks and found this paper exposing that Yún does make an easy target to malware like Miria and other attacks like buffer overflows (see attachment).

In light of this I want to ask if there’s a way to know if your Yún is already part of the Miria botnet and what to do about it? Would reflashing the Yún back to factory settings do the trick?

And what extra steps can we take to prevent any Yún-based IoT from being attacked and joining the ranks of the botnet gangs and armies out there?

Thanks for your suggestions and tips in advance,


2016mal-iot.pdf (376 KB)

The paper is an interesting discussion, but the example attacks seem rather contrived. I find it interesting that he had to resort to adding a Bluetooth interface to the AVR processor side of the Yun, and use that Bluetooth interface to attack the sketch and then use that as a vector to get to Linux. For this paper, he added the Bluetooth interface to counter the inability to reach the Linux side "in cases when direct connections to those interfaces are impossible due to firewall configuration or other reasons."

His example program, that he used for his attack victim, appears to be carefully crafted to make it particularly vulnerable: he set it up so it accepts commands from Bluetooth, he made short command and argument buffers, and he explicitly does not check for buffer overrruns.

med44: And what extra steps can we take to prevent any Yún-based IoT from being attacked and joining the ranks of the botnet gangs and armies out there?

Reading between the lines of his paper, it reinforces my initial thoughts on security:

  • First step: don't connect your Yun directly to the Internet! Put it behind a good firewall, and don't set up a port forward directly from the Internet to your Yun.
  • Secondly, use good programming practices in both your sketch and Linux processes: check input data before acting on it to make sure it is valid and not harmful, and always check for and prevent buffer overruns. (Never assume you will actually get the data you are expecting.) Step one of exploiting any type of vulnerability is to gain access to the system. If you don't make it publicly visible to the Internet, and you don't add a communications method that allows access, then you have gone a long way toward protecting your creation. However, it's not enough to only focus on incoming connections, you have to consider what outgoing connections your system may make: are they reaching the right destination, and can the data you are sending be intercepted or compromised? Is it downloading any data, perhaps reading tweets or similar data "from the wild"? If so, you've got to carefully check that incoming data to make sure it's safe (as the paper's author mentions his code looks for '&' or '`' as a security method), but you've also got to check to make sure you don't overrun any buffer space and execute unintended code/data (as the paper's author explicitly created such an overrun vulnerability.)

I don't mean to minimize the authors work: it is an important topic to be discussed. It's true that the Arduino universe is not focused on security - for the most part, that's not an issue when you have a simple hobbyist stand-alone project that doesn't do anything critical, and isn't communicating with anything. But when you start to bring Internet connectivity into the equation, like the Yun, you do have to start thinking about these issues.

Thanks for the tips, these make sense and should help indeed.

I worry that there's still some knowledge out there about other weaknesses detected on all sorts of IoT devices or systems such as a Yún. So I hope this thread (or any other on the forum we should look at) is used to alert us on any kind of security patch update we should download or any other measure(s) we should take in order to avoid your Yún to become a bot in future attacks.