Adding connected Internet of Things (IoT) devices — such as smart TVs, smart-home gadgets, gaming consoles and even Wi-Fi routers — to a home provides plenty of convenience, but without security, it may help create botnet armies that can be used to take down even well-defended websites.
Take, for example, Mirai ("future" in Japanese), a piece of Linux botnet malware that infected thousands of unsecured IoT devices and sent a massive wave of bandwidth-hogging data — the largest distributed denial-of-service (DDoS) attack ever recorded — that forced the noted security news site KrebsOnSecurity to go offline for a day last month. A few days later, a French web-hosting company withstood an even bigger IoT-based DDoS attack against its own servers.
While the takedown of a single website may not sound like something that affects you, it nonetheless might. Brian Krebs, the security blogger behind the aforementioned site, reported that the Mirai source code was released to the public Saturday (Oct. 1). As a result, any little twerp who knows his way around modest hacking tools can turn your own webcams, digital video recorders, smart refrigerators and other connected devices into weapons.
According to Krebs, Mirai was released to the underground public on the forum Hackforums. A user named Anna-senpai delivered the tool and announced that Mirai can latch onto "about" 300,000 devices by way of the command-line-based Telnet networking protocol. (It's not clear whether Anna-senpai developed Mirai or just rented it, but the "senpai" honorific title, a snippet of Mirai code called "shinigami" or "death stalker," and the name Mirai itself reference Japanese comics and anime.)
To discover IoT devices online, all you need to do is use a scanning tool such as Shodan, which finds anything connected to the public Internet. Once the devices are located, a hacker can probe each one to see if it responds to factory-default usernames and passwords. If so, and if it runs Linux (as most IoT devices do), then it can be infected with Mirai and used along with thousands of other infected devices in an orchestrated attack on a single target. (Some sources pointed out that Mirai can itself scan for unprotected devices and spread one from to the next.)
Anna-senpai noted in his or her explanation for releasing the Mirai source code that, in the wake of last week's events, some IoT devices are now receiving more protection. Mirai used to be able to pull 380,000 devices into its clutches, Anna-senpai wrote, but now that her or she "made my money," and "there’s lots of eyes looking at IOT now," "it’s time to GTFO," or get the [bleep] out of the game.
Mirai is not the only IoT-device-infecting tool of the trade; its rival Bashlight is reported to have infected more than four times as many targets. But unlike Bashlight, Mirai encrypts its communications the command-and-control servers a malicious hacker uses to orchestrate DDoS, making it harder to stop. And now that Mirai has been made free to all comers, it is expected to spread rapidly.
"The code is a gift to cybercriminals looking to enter popular market of DDoS as a Service, and it will be interesting to see who takes control over vulnerable IoT devices, because clearly the author of this code is trying to get out," said Thomas Pore, director of IT at network-defender firm Plixer. "IoT devices have been developed without a focus on security and privacy and are an easy target since they are internet-facing, often haphazardly deployed using default credentials and go unpatched (if a patch even exists)."
"The current lack of guidance and regulations for IoT device security is one of the bigger problems in this area, and why we see breaches in the IoT space rising," said Reiner Kappenberger, global product manager at HPE Security. "Companies rush product to market that have been developed by teams that are solely focusing on functionality. ... Companies entering this space need to think about longer-term impact of their devices."
What can I do?
- Start by making sure your home Wi-Fi router is protected with a username and password of your own making, not one set by the manufacturer.
- Before buying a smart-home device, find out if you can protect it with a unique login name and password. If it doesn't allow for that, find one that does.
- Consider using a home network-security appliance, such as the Bitdefender Box or the Cujo, which are designed to protect all devices on a home network from outside intrusion.