The attack on Dyn, which disrupted service to Twitter, Amazon, PayPal and Spotify, and the now the take down of the entire internet in Liberia – the cyber horror stories experts have been warning about all this time are now a reality. OK, so the Liberian Internet story has now been debunked – but could there be truth in it? Could Mirai and others that follow in its wake actually break the internet?
For a quick recap, the Mirai malware – now being dubbed IoT malware – has infected hundreds of millions of devices to create a massive botnet which can be used to facilitate large scale Distributed Denial of Service (DDoS) attacks on important infrastructure. It managed to do this by exploiting devices that had default or hardcoded passwords shipped from the manufacturer, which meant anyone who had access to those passwords could exploit the device. It was that simple. However, according to Alex Mathews, EMEA technical manager at Postitive Technologies, it isn’t even a new problem.
“Our analysis of the Mirai code shows it wasn’t designed especially for Internet of Things,” he said. “The malware’s target is default passwords (admin:admin, root:password), meaning the botnet could actually be made of many different devices, including personal computers, servers and home routers.”
He continued by saying what is distinguishing about IoT botnets is their higher level of automation.
“With desktop PCs, the infection requires some from of interaction between the user and the malware. With IoT, that step is completely removed. Hackers can discover and penetrate thousands of these vulnerable devices instantly using Shodan or another automatic scanner. And for a common user it’s hard to see if his IoT device is compromised as users aren’t educated to look for the warning signs in such devices as home routers, web-cameras and electricity meters. There is no interface warning: ‘I’m infected'”.
The attacks using the Mirai IoT malware seem to be just the beginning and this notion that users’ devices can be affected without them even knowing is most concerning. Yet, IT Security Guru has received many comments recently about these attacks and most of them have an air of “we told you so” about them.
Cesare Garlati from the not for profit prpl Foundation said “We have been warning about these kinds of attacks for a while. Like any advances in technology, with IoT, there will be a lot done wrong before it is done right.”
He went on to surmise, “If we’re looking at this particular situation optimistically, it’s good that no lives were at stake in this occasion. That said, it’s only a matter of time, so it must be taken seriously and fixed.”
For the majority of experts we spoke to, there is significant responsibility to be dropped at the feet of manufacturers when it comes to fixing the problems of IoT insecurities with varying levels of discontent.
“I’m mad….Because it was so unnecessary,” said Lee Munson, security researcher for Comparitech.com. “I mean, who is making all these compromised IoT devices and why are they doing such a poor job of securing them?
“Week after week we see new stories about how networked devices are being compromised, not because the security on them has been cleverly hacked, but because said security was virtually non-existent in the first place.
“If, as a manufacturer, you are going to secure them all with extremely weak default usernames and passwords then you may as well not bother securing them at all.”
One reason for vendors not taking security of connected devices seriously enough was given by Mathews: “Unfortunately, this idea doesn’t fit IoT vendors’ market goals: they advertise simplicity, ‘plug-and-play’ models. Extra security testing and restrictions are not profitable for them.”
Garlati noted that one of main focuses to fix the “broken Internet of Things” is having government and regulators step in. He alluded to the FTC fining of ASUS and subjecting the company to 20 years of audits. Perhaps maybe with more regulator involvement, we can start to see these attitudes change, though he does note that there is a “very fine balance between regulation and preserving innovation which is addressed in the prpl Security Guidance for Critical Areas of Embedded Computing.”
Mathews continued: “Another ideal is to create a comprehensive list of guidelines and regulations specifically detailing IoT security. The ICS security regulations already developed in many countries could be used as a template. There are some steps taken along this path already – such as The Industrial Internet Security Framework (IISF) developed by several big IT industry vendors, published in September. This document considers the Internet of Things as a part of the Industrial Internet.”
For Garlati, one thing is clear; the future security of IoT is a global issue and “a real problem that is only going to get worse if we don’t do anything as an industry now to tackle IoT security, before it’s too late.”