At this point we’ve all heard about the Mirai malware that has already set its sights on vulnerable IoT (Internet of Things) devices. The bad guys are targeting smart devices such as cameras, smart meters, medical devices, sensors, routers, security systems, baby monitors, DVRs, satellite antennas, doorbells, refrigerators, espresso machines, electronic photo frames, humidifiers, pet collars, motion detectors, lawnmowers, aquarium monitors, and so much more. The malware is hijacking the devices and commanding them to perform smaller attacks that amplify the overall effect. But let’s take a step back. It all started when the Brian Krebs’ Website, a site which focuses on security news and analysis, was sent a flurry of messages only to become the victim of the DDoS (distributed denial-of-service) attack, which was subsequently revealed as “Mirai.”
This attack shouldn’t be all that surprising. And if you are surprised then you haven’t been paying much attention to what we have been saying for the past few years, as more and more home, office, and health and fitness devices contain a growing number of Internet-connected gadgets with little to no security. These cyber bad guys have been waiting in the weeds for the perfect opportunity to take action to create as much havoc as possible. Now, the real question we should be asking is this just the beginning of more DDOS attacks? While this initial attack has proven to be alarming, the attack has not been as disruptive as it could be, which means these nefarious characters have more in store and we have yet to see what their ultimate plan is. And unless we take them seriously and plan accordingly, we could be in for a much larger hack that make Yahoo’s hack looks like kids play.
Just yesterday, Akamai Technologies, www.akamai.com, a network security provider, issued a report that confirms hackers have been spending months manipulating as many as millions of connected IoT devices in homes and businesses to access stolen usernames and passwords in an attempt in infiltrate Websites, otherwise known as credential stuffing campaigns. While this vulnerability has been reported before, it has only recently resurfaced due to the massive increase in connected devices in an attempt to seek out the most vulnerable default configurations of Internet-connected devices, according to Akamai.
The report goes on to say that it has confirmed and validated the feasibility of this severe abuse-case in its lab environment, and believes these malicious users will continue to actively exploit this to penetrate private networks.
This is not to push the panic button; it’s to open the eyes of everyone that is building, investing, and developing IoT devices. For instance, even a threat from hackers proved to be too much for Johnson & Johnson, which warned diabetes patients and doctors that one of its insulin pumps could be a target of cyber hackers. Cyber criminals are now attacking everyday household items that contain an IP address, regardless of their purpose.
It’s important to understand that experts say malware like this spreads by “bruteforcing” telnet servers that are using any one of more than 60 insecure passwords. Once logged in, the malware wreaks havoc within the system, resulting in the actual, legitimate user being locked out of his or her own device. Devices then become “bots,” which follow commands from a central server. When asked, bots launch DDoS attacks on intended targets.
By relentlessly scanning the Internet for vulnerable IoT systems, Mirai infects devices that use ill-advised user name and password combinations like admin/admin, admin/password, and guest/12345. Unfortunately, IoT devices such as IP security cameras, DVRs, smart refrigerators, routers, and many others often come with default passwords that are set—not by the users themselves—but by the device manufacturers. Therefore, even those users who follow best practices for setting user names and passwords in other situations may have vulnerable IoT systems in their homes.
In a nauseating Mirai plot twist, a user called “Anna-senpai” publicly released the malware’s source code in a popular forum for hackers. Now, it seems Mirai may have a lot of wind left in its sails as more black hats may attempt to use the code to create new botnets by spreading the malware to even more hackable IoT devices.
While malware code “dumping” may seem to be a friendly gesture from one criminal to a group of others, it’s more likely a save-my-skin move by “Anna-senpai.” Now that Mirai has done damage and attracted a good bit of attention, its creator doesn’t want to be discovered in sole possession of the source code.
With estimates about the number of IoT devices in the billions by the end of the decade, security is one hurdle the entire industry—from manufacturer to consumer and every link of the chain in between—needs to consider. If devices are going to be connected to the Internet, they should be connected securely or not at all. This opens up a bigger issue that perhaps it’s time we really address the vulnerability of all our connected devices. The bad guys are sending a very strong message and the risks grow exponentially every time a new device is connected. It’s just a matter of whether we are listening to what all these devices really have to say.
Want to tweet about this article? Use hashtags #IoT #M2M #security #DDoS #hacker #botnet