One and a half minutes is all it took after plugging in an internet-connected security camera for the camera be infected with malware.Unlike the average Jane or Joe Doe who would not want their security camera to be immediately infected with malware, Rob Graham, CEO of Errata Security, called it \u201cfun\u201d to watch the infection happen. He tweet-documented his experience.Graham purchased an inexpensive device\u2014this $55 IoT security camera made by JideTech.It supports Universal Plug and Play (UPnP), not a secure feature but easy for non-techies to setup because basically a person plugs a UPnP device in and it works. The average user would not likely do this, but Graham said he isolated the camera from his home network by setting it up behind a Raspberry Pi router.And just 98 seconds later, Graham\u2019s camera was infected with malware.His security camera ended up with multiple malware infections. Mirai malware was not the first infection; he said it was \u201csomething else similar to it.\u201dIt wasn\u2019t long before the security camera had two active infections, one of those being Mirai. Then he got a good look at how Mirai works. He explained that after the first stage of Mirai got a toehold on the device, it downloaded the full Mirai malware.Mirai, he said, \u201cinfects things via Telnet, not the web.\u201d The malware sends out \u201ca burst of 150 Telnet packets looking for new victims.\u201d It waits a second for any responses before continuing to hunt for new victims.Graham noted, \u201cOn my Mirai-infected camera, Telnet has a hardcoded password so you can reset your changeable web interface password.\u201d At one point, he said, \u201cOne of the infections killed the Telnet daemon and kicked\u201d him off.The next day he added a command that can be run so you don\u2019t get locked out of your Mirai-infected device.If you plan on buying someone an IoT security camera, or you receive one as a gift for the upcoming holidays, please do try to set it up correctly, since an infection can occur crazy-fast\u2014within 98 seconds! No one, except maybe some security researchers, would want their IoT device to become part of a DDoS botnet.Although changing the default password before connecting an IoT device to the internet is frequently advised, Graham said that would not help in the case of his Mirai-infected camera.The correct mitigation, Graham said, is to \u201cput these devices behind your firewall\u201d because \u201cmany of the Mirai passwords can\u2019t be changed.\u201dZ-Wave certified devices to be \u2018hacker-proof\u2019While it certainly won\u2019t resolve all IoT security issues, the Z-Wave Alliance did announce mandating \u201chacker-proof security on their smart devices.\u201d That\u2019s a bold claim made in an email about the announcement. However, it\u2019s a step in the right direction to reduce security and privacy risks. All smart devices with Z-Wave that are certified after April 2, 2017, will be required to meet specific security requirements.Certified Z-Wave devices will have to include a new security framework, dubbed S2. The Z-Wave Alliance said:[S2] completely removes the risk of devices being hacked while they are included in the network. By using a QR or pin-code on the device itself, the devices are uniquely authenticated to the network as well. Common hacks such as man in the middle and brute force are virtually powerless against the S2 framework through the implementation of the industry-wide accepted secure key exchange using Elliptic Curve Diffie-Hellman (ECDH). Finally, Z-Wave also strengthened its cloud communication, enabling the tunneling of all Z-Wave over IP (Z\/IP) traffic through a secure TLS 1.1 tunnel, removing vulnerability.