According to some estimates, the Mirai malware has now infected almost half a million Internet of Things (IoT) devices worldwide, more than doubling the impact of the original Mirai botnet. This is not down to a lack of technology, say experts, but to negligence and stupidity.
As Jeremy Cowan reports for IoT Now, the Linux Trojan backdoor had been targeting IoT devices including routers, digital video recorders, WebIP cameras, and other embedded Linux devices.
Then the news broke on October 3 that the source code for the IoT botnet had been released. (See our report: Hacker releases source code of Mirai DDoS Trojan after targeting the IoT this weekend). As many predicted, the source code has since been used by criminals to create their own versions of the malware in order to infect other devices. (Also see: Users of RATtrap said to have been ‘protected’ from recent Mirai IoT botnet attack.)
Cesare Garlati, chief security strategist at the prpl Foundation told IoT Now: “The new data confirms the importance of securing IoT devices to prevent massive DDoS (distributed denial of service) attacks. It also confirms the low level of sophistication of the exploit; mainly common/default user ID and passwords.”
Negligence or plain stupidity
“I am afraid advanced hardware security technology can do nothing to protect from negligence or plain stupidity,” said Garlati. “This is an area where regulators should play a role and, for example, ban the sale of any connected devices that ship with standard/default/no passwords. In addition, regulators may force ISPs (internet service providers) to temporarily block IP addresses known from being part of active botnets/DDoS – i.e. the ones detected by Level 3.”
“In the end, this is no different than stopping a vehicle with broken tail lights to prevent accidents on a highway. There is no need for new technology to block this kind of unsophisticated attacks, just a good dose of common sense,” Garlati insisted.
Ryan Lester, director of IoT Strategy at Xively by LogMeIn, commented: “This incident further reinforces the need for rigorous assessment of security implications at the outset of any Internet of Things project. The Internet of Things comes with a whole new set of security challenges and product companies must ensure that security is purpose-built for the IoT and that it is entrenched in every aspect – infrastructure, apps, connections, etc.”
“Product companies also need to avoid security shortcuts, such as embedded private keys and weak authentication, which can speed up the development phase but can be quite risky and negatively affect consumer confidence in the long term. A thorough evaluation of the security implications will ultimately save time and cost of flaws discovered down the road. The consequences of which can be financially debilitating and long-lasting,” said Lester.
Passwords left at factory defaults
Sean Newman, director at Corero Network Security: “It’s kind of understandable that passwords protecting the majority of network enabled consumer devices get left at their factory defaults, as end-users often lack the awareness or confidence to change them – in these cases, manufacturers need to start taking more proactive measures to help ensure users are aware and making it simple for them to update passwords without fear of rendering the devices unusable.”
“However, when it comes to commercial equipment, there is simply no excuse for IT professionals and installers of such equipment to leave devices in their default security state,” said Newman. “Even for the simplest of devices which require any kind of configuration, there will be password controlled access which should be updated.”
A stake in the ground
As the first high-profile DDoS attack on the Internet of Things infrastructure, last month’s DDoS attack on Dyn which affected the likes of Netflix, Starbucks and Twitter has become a stake in the ground for the evolution of cyber attacks. So says Robin Kent, director of European operations, Adax.
“In light of this step change, service providers need to ensure that they secure this infrastructure, as the consequences of it being breached could lead to multiple lawsuits from the companies that will, no doubt, have minimum service uptime agreements with them that would have been exceeded during such an attack.”
“(October’s) DDoS attack should not be a surprise, it’s what we’ve all been warned could happen,” said Kent, “but the question must now be asked; how can operators secure the internet of things (IoT) to prevent other attacks?”
“This attack appears to be the first that has come from mobile devices rather than a robot on a desktop, proving that the more devices are digitally connecting, the more attack vectors there are. This really is a wake-up call in the advancement towards IoT, as it highlights the ease at which smart devices can be hijacked. Most IoT networks are proprietary or private, meaning that the only way to standardise them is to ensure that they become part of the core network. However, in doing so, network operators need to ensure that each new connection is authenticated before it connects to the core.”
Security now in the spotlight
“IoT security is now under greater scrutiny than ever before as the phenomenon begins to take off. Network operators should be taking it upon themselves to set their own security measures to ensure the capabilities of IoT can be recognised and embraced. Having a reliable Stream Control Transmission Protocol (SCTP) solution will be crucial in ensuring operators can authenticate the hundreds of connections entering the core network,” Kent concluded.
Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow