Hacker releases source code of Mirai DDoS Trojan after targeting the IoT this weekend

Over the weekend, a code was reportedly employed on a large number of Internet of Things (IoT) connected devices to form a botnet. The botnet was then deployed to attack websites with a distributed denial of service (DDoS) attack.

The source code was then released by its author. The malware, named ‘Mirai’, is a DDoS Trojan and targets Linux systems and, in particular, IoT devices.

The author of the Mirai DDoS Trojan, which was used to attack Brian Krebs’ website on September 20, has published the source code of his malware following intense pressure from security researchers. The attack was described by KrebsOnSecurity.com as “an extremely large and unusual distributed denial-of-service (DDoS) attack designed to knock the site offline.” The website reports that the attack on their site was unsuccessful.

Commenting on the DDoS attack, Stephen Gates, chief research intelligence analyst at NSFOCUS: “Why do many IoT devices use default passwords? Simple; when manufacturers build this type of technology they make it as ‘user-friendly’ as possible. Just plug it in and often it works. The real intention of the decision to ship every device with the same username/password is primarily to reduce customer support calls; which costs manufacturers money. Most of these IoT devices ship with the username of ‘admin’ and the password is the word ‘password’.

Stephen Gates, chief research intelligence analyst at NSFOCUS
Stephen Gates, chief research intelligence analyst at NSFOCUS

Simply entering admin/password gets you in. Some vendors may use different default combinations, but once you know what vendor does what, it’s easy from there. If people don’t change the password when the device is installed, it will continue to use the factory default of ‘password’ in many cases.

“The solution to this is simple,” said Gates. “Manufacturers must do a better job of either insuring that each device has a unique default password, or they must force users to change the password once the default is entered, when the device is first installed. One way of ensuring that each device has a unique password is to etch the devices’ default username and password on the unit itself. Even if a user did not change the default password, a hacker would have to gain physical access to the unit to determine its default username/password combination. This would go a long way to solving that problem if every device shipped with a different combination of login credentials.”

“If this problem is not solved on a global scale, Mr. Krebs is correct. Soon we may see DDoS attacks that are capable of taking down major portions of the internet, as well as causing brownouts, creating intolerable latency, or making the Internet unusable. This is all collateral damage caused by a failure of good judgement by using the same factory default passwords on IoT devices in the first place.”

Reiner Kappenberger, global product manager at HPE Security – Data Security, added, “The IoT space has become a hot market where companies need to enter quickly with functionality to be considered leading the space. However, with that approach where functionality is the leading indicator comes the risk that security measurements are pushed to the back of the development cycle and frequently then dropped in order to release a product. While some of these are easy to fix the problem can lead to new entrants into the market running out of business due to security not taking an equal position to features during development.

“The current lack of guidance and regulations for IoT device security is one of the bigger problems in this area and why we see breaches in the IoT space rising. Companies rush product to market that have been developed by teams that are solely focusing on functionality. They use protocols and tools that have not been thoroughly vetted from a security standpoint as the small amount of storage in those devices poses limitations to the software elements they can use.

Companies entering this space need to think about longer term impact of their devices. Typically computers have a lifespan of a few years. However IoT devices may be around for 10+ years before being replaced – especially in home networks. Companies working in this market need to consider this fact as over the years we have seen a constant flood of vulnerabilities in the tools being used and those systems need to be updated to patch those security flaws. As shown by this latest development, this is a broad problem that manifests itself on many IoT devices with extremely damaging results,” he continued.

Reiner Kappenberger, global product manager at HPE Security - Data Security
Reiner Kappenberger, global product manager at HPE Security – Data Security

“Consumers that venture into the IoT space should identify the security measurements that have been taken to secure the device and ask about the long term support for the product. A breach in the IoT device can easily move to other systems – i.e. the home computer – and attackers would then be able to steal valuable personal information such as bank account information and credentials as they are now behind any firewall that the user might have and the whole home network usually is unprotected in home environments. People still take home network security to lightly and should take broader measures to secure themselves.

“For those manufacturing devices they should consider approaches like a data-centric security approach that helps prevent data leakage and access – in order to protect their customers properly. Innovative technologies such as industry-standard format-preserving encryption can protect data, at the data level, in the IoT mobile applications, in connected devices and in the enterprise back-end systems.

And while this research looked at consumer/home networks, there are parallels to the widespread use of connected devices throughout the enterprise so it’s incumbent on all types of technology consumers to take control of their security,” said Kappenberger.

Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

5G to generate 77% of global operator revenue by 2026

Posted on: December 1, 2021

Hampshire, UK. 30th November 2021 – A new study from Juniper Research has found that revenue generated from 5G services will reach $600 billion (€530.34 billion) by 2026; representing 77% of global operator-billed revenue. It found that the adoption of 5G services across consumer and IoT sectors has been driven by a strong uptake of 5G-capable devices, coupled

Read more

IoT CMP vendors add eSIM management capabilities to simplify logistics and localise connectivity

Posted on: December 1, 2021

Gothenburg, Sweden. 30 November 2021 – Berg Insight, the IoT market research provider, released new findings about the market for IoT connectivity management platforms (CMPs), a standard component in the value proposition from mobile operators and IoT MVNOs around the world. Recent developments in the domains of network virtualisation, SIM technology and LPWA networking are

Read more