Security experts call for end to ‘stupidity’ in fight with hackers as Mirai code broadens IoT attacks

Protect against negligence and stupidity, said Garlati

According to some estimates, the Mirai malware has now infected almost half a million Internet of Things (IoT) devices worldwide, more than doubling the impact of the original Mirai botnet. This is not down to a lack of technology, say experts, but to negligence and stupidity.

As Jeremy Cowan reports for IoT Now, the Linux Trojan backdoor had been targeting IoT devices including routers, digital video recorders, WebIP cameras, and other embedded Linux devices.

Then the news broke on October 3 that the source code for the IoT botnet had been released. (See our report: Hacker releases source code of Mirai DDoS Trojan after targeting the IoT this weekend). As many predicted, the source code has since been used by criminals to create their own versions of the malware in order to infect other devices. (Also see: Users of RATtrap said to have been ‘protected’ from recent Mirai IoT botnet attack.)

Cesare Garlati, chief security strategist at the prpl Foundation told IoT Now: “The new data confirms the importance of securing IoT devices to prevent massive DDoS (distributed denial of service) attacks. It also confirms the low level of sophistication of the exploit; mainly common/default user ID and passwords.”

Negligence or plain stupidity

“I am afraid advanced hardware security technology can do nothing to protect from negligence or plain stupidity,” said Garlati. “This is an area where regulators should play a role and, for example, ban the sale of any connected devices that ship with standard/default/no passwords. In addition, regulators may force ISPs (internet service providers) to temporarily block IP addresses known from being part of active botnets/DDoS – i.e. the ones detected by Level 3.”

“In the end, this is no different than stopping a vehicle with broken tail lights to prevent accidents on a highway. There is no need for new technology to block this kind of unsophisticated attacks, just a good dose of common sense,” Garlati insisted.

Ryan Lester
Ryan Lester

Ryan Lester, director of IoT Strategy at Xively by LogMeIn, commented: “This incident further reinforces the need for rigorous assessment of security implications at the outset of any Internet of Things project. The Internet of Things comes with a whole new set of security challenges and product companies must ensure that security is purpose-built for the IoT and that it is entrenched in every aspect – infrastructure, apps, connections, etc.”

“Product companies also need to avoid security shortcuts, such as embedded private keys and weak authentication, which can speed up the development phase but can be quite risky and negatively affect consumer confidence in the long term. A thorough evaluation of the security implications will ultimately save time and cost of flaws discovered down the road. The consequences of which can be financially debilitating and long-lasting,” said Lester.

Passwords left at factory defaults

Sean Newman, director at Corero Network Security: “It’s kind of understandable that passwords protecting the majority of network enabled consumer devices get left at their factory defaults, as end-users often lack the awareness or confidence to change them – in these cases, manufacturers need to start taking more proactive measures to help ensure users are aware and making it simple for them to update passwords without fear of rendering the devices unusable.”

DDoS.Corero_image.11.16“However, when it comes to commercial equipment, there is simply no excuse for IT professionals and installers of such equipment to leave devices in their default security state,” said Newman. “Even for the simplest of devices which require any kind of configuration, there will be password controlled access which should be updated.”

A stake in the ground

As the first high-profile DDoS attack on the Internet of Things infrastructure, last month’s DDoS attack on Dyn which affected the likes of Netflix, Starbucks and Twitter has become a stake in the ground for the evolution of cyber attacks. So says Robin Kent, director of European operations, Adax.

“In light of this step change, service providers need to ensure that they secure this infrastructure, as the consequences of it being breached could lead to multiple lawsuits from the companies that will, no doubt, have minimum service uptime agreements with them that would have been exceeded during such an attack.”

Robin Kent of Adax
Robin Kent of Adax

“(October’s) DDoS attack should not be a surprise, it’s what we’ve all been warned could happen,” said Kent, “but the question must now be asked; how can operators secure the internet of things (IoT) to prevent other attacks?”

“This attack appears to be the first that has come from mobile devices rather than a robot on a desktop, proving that the more devices are digitally connecting, the more attack vectors there are. This really is a wake-up call in the advancement towards IoT, as it highlights the ease at which smart devices can be hijacked. Most IoT networks are proprietary or private, meaning that the only way to standardise them is to ensure that they become part of the core network. However, in doing so, network operators need to ensure that each new connection is authenticated before it connects to the core.”

Security now in the spotlight

“IoT security is now under greater scrutiny than ever before as the phenomenon begins to take off. Network operators should be taking it upon themselves to set their own security measures to ensure the capabilities of IoT can be recognised and embraced. Having a reliable Stream Control Transmission Protocol (SCTP) solution will be crucial in ensuring operators can authenticate the hundreds of connections entering the core network,” Kent concluded.

Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow



Aeris to acquire IoT business from Ericsson

Posted on: December 8, 2022

Ericsson and Aeris Communications, a provider of Internet of Things (IoT) solutions based in San Jose, California, have signed an agreement for the transfer of Ericsson’s IoT Accelerator and Connected Vehicle Cloud businesses.

Read more

Telenor IoT passes milestone of 20mn SIM cards

Posted on: December 8, 2022

Telenor, the global IoT provider and telecom operator, has experienced rapid growth over the last years and ranks among the top 3 IoT operators in Europe and among the top IoT operators in the world. The positive development is due to an accelerated pace of new customers combined with a successful growth of existing customers’

Read more

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more