View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 3, 2016updated 04 Oct 2016 10:21am

Mirai DDoS Trojan which hit KrebsOnSecurity highlights IoT industry’s security failings

Manufacturers prioritise functionality, not security.

By Ellie Burns

The IoT botnet used to attack renowned security blog KrebsOnSecurity, has been named as the Mirai DDoS Trojan.

The source code that powers the IoT botnet was released on Friday 30 September on the hacking community Hackforums, with Brian Krebs warning that the public release of the malware as ‘virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.”

The malware spreads to vulnerable devices by continuously scanning the internet for IoT systems protected by factory default or hard-coded passwords and usernames.

Confirmed as the cause of the 620 Gbps DDoS attack on KrebsOnSecurity, the malware highlights a major flaw in design and thinking of current IoT devices. The lack of standards, guidance and regulation in today’s IoT market means security is little more than an afterthought, whereby functionality and speed to market dominate development.

 

KrebsOnSecurity - A renowned security blog written by Brian Krebs

KrebsOnSecurity – A renowned security blog written by Brian Krebs

 

“The IoT space has become a hot market where companies need to enter quickly with functionality to be considered leading the space. However with that approach where functionality is the leading indicator comes the risk that security measurements are pushed to the back of the development cycle and frequently then dropped in order to release a product,”said Reiner Kappenberger, global product manager at HPE Security – Data Security.

Content from our partners
Sherif Tawfik: The Middle East and Africa are ready to lead on the climate
What to look for in a modern ERP system
How tech leaders can keep energy costs down and meet efficiency goals

“The current lack of guidance and regulations for IoT device security is one of the bigger problems in this area and why we see breaches in the IoT space rising. Companies rush product to market that have been developed by teams that are solely focusing on functionality. They use protocols and tools that have not been thoroughly vetted from a security standpoint as the small amount of storage in those devices poses limitations to the software elements they can use.”

Manufacturers are prioritising user experience over security, a risky approach seeing as IoT devices are connected to other devices such as personal computers which hold sensitive data. The malware has put a specific spotlight on the use of default passwords, often included to ease device setup and get the customer online with the device as soon as possible.

“Why do many IoT devices use default passwords? Simple; when manufacturers build this type of technology they make it as “user-friendly” as possible.  Just plug it in and often it works. The real intention of the decision to ship every device with the same username/password is primarily designed to reduce customer support calls; which costs manufacturers money,” said Stephen Gates, chief research intelligence analyst at NSFOCUS.

Unfortunately, passwords continue to be the weak link in cyber security, and not just when it comes to IoT. Manufacturers need to ensure that the password basics are being delivered to customers – this means unique passwords for every device and a recommendation to users to change the default password as soon as possible.

Ultimately, however, security needs to be included from the outset in IoT design and development, ensuring that equal attention and focus is given both to design and security. If manufacturers continue to place more importance on usability and functionality then IoT attacks are only going to continue to surge.

“If this problem is not solved on a global scale, Mr. Krebs is correct. Soon we may see DDoS attacks that are capable of taking down major portions of the Internet, as well as causing brownouts, creating intolerable latency, or making the Internet unusable,” said Mr Gates.

“This is all collateral damage caused by a failure of good judgement by using the same factory default passwords on IoT devices in the first place.”

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU