Source code that can be used to create massive, IoT-based distributed denial-of-service attacks is now in the wild, and every end-user and enterprise has cause for serious concern. Security researcher Brian Krebs's website was hit last month with a DDoS attack that employed the malicious code, which is named Mirai, as he writes:
The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.
Vulnerable devices are then seeded with malicious software that turns them into “bots,” forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline.
The Hackforums user who released the code, using the nickname “Anna-senpai,” told forum members the source code was being released in response to increased scrutiny from the security industry.
“When I first go in DDoS industry, I wasn’t planning on staying in it long,” Anna-senpai wrote. “I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO. So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”
Sources tell KrebsOnSecurity that Mirai is one of at least two malware families that are currently being used to quickly assemble very large IoT-based DDoS armies. The other dominant strain of IoT malware, dubbed “Bashlight,” functions similarly to Mirai in that it also infects systems via default usernames and passwords on IoT devices.
Krebs predicts that Mirai's release will lead to a wave of DDoS attacks that in aggregate could significantly slow down Internet traffic. And Mirai is but one of a number of IoT botnets at work today.
Analysis: IoT Exuberance Must Give Way to Security Sanity
The matter of IoT security has been a crucial oversight by the tech industry, and something needs to change, says Constellation Research VP and principal analyst Steve Wilson.
"What's happening is we have this connectivity fetish, a religious belief that networking brings goodness, and it's blinding us to fundamental security priciples like 'least privilege' and the need to know," says Wilson, who leads Constellation's research into security and privacy. "It's absolutely basic: You must grant systems the minimum access they need to do their job, and you must not make information available to any agent or actor beyond what they need."
"But no, IoT designers have taken leave of their senses," Wilson adds. "They make IoT devices with open public interfaces (APIs). We give these devices public networking standards like WiFi and Bluetooth but we've given them no access controls or privileges management. You don't need to 'hack' these sorts of systems; they are designed to have strangers hook onto them and send them commands."
"Designers need to be a whole lot more conscious of the risks of making computers available in the form of IoT connected devices," Wilson says. "We've been watching the ingenuity of cybercriminals evolve now for several generations, yet the default attitute of designers is still 'it will never happen to me and my products.' We know that if there is compouting resource available to criminals, they will exploit it. The superconnecting IoT is a gift to organised crime."
Read more of Wilson's writing on IoT security here and here.
24/7 Access to Constellation Insights
Subscribe today for unrestricted access to expert analyst views on breaking news.