The IoT botnet used to attack renowned security blog KrebsOnSecurity, has been named as the Mirai DDoS Trojan.
The source code that powers the IoT botnet was released on Friday 30 September on the hacking community Hackforums, with Brian Krebs warning that the public release of the malware as ‘virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.”
The malware spreads to vulnerable devices by continuously scanning the internet for IoT systems protected by factory default or hard-coded passwords and usernames.
Confirmed as the cause of the 620 Gbps DDoS attack on KrebsOnSecurity, the malware highlights a major flaw in design and thinking of current IoT devices. The lack of standards, guidance and regulation in today’s IoT market means security is little more than an afterthought, whereby functionality and speed to market dominate development.
“The IoT space has become a hot market where companies need to enter quickly with functionality to be considered leading the space. However with that approach where functionality is the leading indicator comes the risk that security measurements are pushed to the back of the development cycle and frequently then dropped in order to release a product,”said Reiner Kappenberger, global product manager at HPE Security – Data Security.
“The current lack of guidance and regulations for IoT device security is one of the bigger problems in this area and why we see breaches in the IoT space rising. Companies rush product to market that have been developed by teams that are solely focusing on functionality. They use protocols and tools that have not been thoroughly vetted from a security standpoint as the small amount of storage in those devices poses limitations to the software elements they can use.”
Manufacturers are prioritising user experience over security, a risky approach seeing as IoT devices are connected to other devices such as personal computers which hold sensitive data. The malware has put a specific spotlight on the use of default passwords, often included to ease device setup and get the customer online with the device as soon as possible.
“Why do many IoT devices use default passwords? Simple; when manufacturers build this type of technology they make it as “user-friendly” as possible. Just plug it in and often it works. The real intention of the decision to ship every device with the same username/password is primarily designed to reduce customer support calls; which costs manufacturers money,” said Stephen Gates, chief research intelligence analyst at NSFOCUS.
Unfortunately, passwords continue to be the weak link in cyber security, and not just when it comes to IoT. Manufacturers need to ensure that the password basics are being delivered to customers – this means unique passwords for every device and a recommendation to users to change the default password as soon as possible.
Ultimately, however, security needs to be included from the outset in IoT design and development, ensuring that equal attention and focus is given both to design and security. If manufacturers continue to place more importance on usability and functionality then IoT attacks are only going to continue to surge.
“If this problem is not solved on a global scale, Mr. Krebs is correct. Soon we may see DDoS attacks that are capable of taking down major portions of the Internet, as well as causing brownouts, creating intolerable latency, or making the Internet unusable,” said Mr Gates.
“This is all collateral damage caused by a failure of good judgement by using the same factory default passwords on IoT devices in the first place.”