Over the weekend, a code was reportedly employed on a large number of Internet of Things (IoT) connected devices to form a botnet. The botnet was then deployed to attack websites with a distributed denial of service (DDoS) attack.
The source code was then released by its author. The malware, named ‘Mirai’, is a DDoS Trojan and targets Linux systems and, in particular, IoT devices.
The author of the Mirai DDoS Trojan, which was used to attack Brian Krebs’ website on September 20, has published the source code of his malware following intense pressure from security researchers. The attack was described by KrebsOnSecurity.com as “an extremely large and unusual distributed denial-of-service (DDoS) attack designed to knock the site offline.” The website reports that the attack on their site was unsuccessful.
Commenting on the DDoS attack, Stephen Gates, chief research intelligence analyst at NSFOCUS: “Why do many IoT devices use default passwords? Simple; when manufacturers build this type of technology they make it as ‘user-friendly’ as possible. Just plug it in and often it works. The real intention of the decision to ship every device with the same username/password is primarily to reduce customer support calls; which costs manufacturers money. Most of these IoT devices ship with the username of ‘admin’ and the password is the word ‘password’.
Simply entering admin/password gets you in. Some vendors may use different default combinations, but once you know what vendor does what, it’s easy from there. If people don’t change the password when the device is installed, it will continue to use the factory default of ‘password’ in many cases.
“The solution to this is simple,” said Gates. “Manufacturers must do a better job of either insuring that each device has a unique default password, or they must force users to change the password once the default is entered, when the device is first installed. One way of ensuring that each device has a unique password is to etch the devices’ default username and password on the unit itself. Even if a user did not change the default password, a hacker would have to gain physical access to the unit to determine its default username/password combination. This would go a long way to solving that problem if every device shipped with a different combination of login credentials.”
“If this problem is not solved on a global scale, Mr. Krebs is correct. Soon we may see DDoS attacks that are capable of taking down major portions of the internet, as well as causing brownouts, creating intolerable latency, or making the Internet unusable. This is all collateral damage caused by a failure of good judgement by using the same factory default passwords on IoT devices in the first place.”
Reiner Kappenberger, global product manager at HPE Security – Data Security, added, “The IoT space has become a hot market where companies need to enter quickly with functionality to be considered leading the space. However, with that approach where functionality is the leading indicator comes the risk that security measurements are pushed to the back of the development cycle and frequently then dropped in order to release a product. While some of these are easy to fix the problem can lead to new entrants into the market running out of business due to security not taking an equal position to features during development.
“The current lack of guidance and regulations for IoT device security is one of the bigger problems in this area and why we see breaches in the IoT space rising. Companies rush product to market that have been developed by teams that are solely focusing on functionality. They use protocols and tools that have not been thoroughly vetted from a security standpoint as the small amount of storage in those devices poses limitations to the software elements they can use.
Companies entering this space need to think about longer term impact of their devices. Typically computers have a lifespan of a few years. However IoT devices may be around for 10+ years before being replaced – especially in home networks. Companies working in this market need to consider this fact as over the years we have seen a constant flood of vulnerabilities in the tools being used and those systems need to be updated to patch those security flaws. As shown by this latest development, this is a broad problem that manifests itself on many IoT devices with extremely damaging results,” he continued.
“Consumers that venture into the IoT space should identify the security measurements that have been taken to secure the device and ask about the long term support for the product. A breach in the IoT device can easily move to other systems – i.e. the home computer – and attackers would then be able to steal valuable personal information such as bank account information and credentials as they are now behind any firewall that the user might have and the whole home network usually is unprotected in home environments. People still take home network security to lightly and should take broader measures to secure themselves.
“For those manufacturing devices they should consider approaches like a data-centric security approach that helps prevent data leakage and access – in order to protect their customers properly. Innovative technologies such as industry-standard format-preserving encryption can protect data, at the data level, in the IoT mobile applications, in connected devices and in the enterprise back-end systems.
And while this research looked at consumer/home networks, there are parallels to the widespread use of connected devices throughout the enterprise so it’s incumbent on all types of technology consumers to take control of their security,” said Kappenberger.
