The source code for Mirai, the malware behind the botnet that launched a massive attack on the Krebs on Security website — the largest DDoS attack on record — has been released in the wild, according to Brian Krebs, author of the blog.
A hacker who goes by the handle “Anna-senpai,” apparently because of increased scrutiny from the cybersec industry, last week announced the release on Hackforums, Krebs said.
The code release has heightened fears that the Internet of Things will be flooded with attacks from new botnets.
“The current lack of guidance and regulations for IoT device security is one of the bigger problems in this area, and why we see breaches in the IoT space rising,” said Reiner Kappenberger, global product manager at HPE Security – Data Security.
Mirai exploits Telnet, a very old protocol that’s incredibly insecure, according to Rod Schultz, VP of product at Rubicon Labs.
Telnet “allows Mirai to jump around from IoT device to IoT device,” he told TechNewsWorld.
Telnet is “legacy, like an appendix,” Schultz said. “It hasn’t worked its way out.”
IoT device makers select a default from a list of 62 that are very insecure, Schultz noted. Mirai tries those passwords against IoT devices until it finds one that accepts it. If the device also runs BusyBox, then Mirai has an in.
Mirai then can send messages on the network. It also can create encrypted traffic, making it “incredibly hard to detect when a message is created,” Schultz said. “Once you can send a message from a device, you can begin to create a DDoS attack.”
The IoT’s Insecurity Saga
The IoT would transform surveillance techniques, David Petraeus, who was then the director of the CIA predicted in 2012.
Stories about hackers accessing baby monitors have surfaced over the years, along with concerns over the vulnerability of Internet-connected toys and smart home appliances.
However, security has taken a back seat to turning out products.
“The IoT space has become a hot market where companies need to enter quickly with functionality to be considered leading the space,” HPE’s Kappenberger told TechNewsWorld. That increases the risk that security measures “are pushed to the back of the development cycle — and frequently then dropped — in order to release a product.”
The explosive growth in the IoT is partly to blame.
About 11 billion devices are connected to the Internet, according to Vernon Turner, IDC senior VP of enterprise systems, told an audience at the IDC Directions conference earlier this year.
That number will increase to 30 billion by 2020 and 80 billion by 2025, he added, and the IoT market will be worth US$1.46 trillion by then.
The rush into the IoT device business means entrants “are thrown into the deep end, having to gain a quick understanding of security engineering in an environment where there are often not enough good security engineers to go around,” said Leidos Chief Engineer Brian Russell, who chairs the Cloud Security Alliance’s IoT Working Group.
Another problem is the current approach to software development.
“The modular and reusable code blocks driving technological innovation … can be stacked to rapidly create new products, but these products also share the same vulnerabilities,” Rubicon’s Schultz pointed out.
“This lack of diversity in the attack surface allows an attack on one technology to be rapidly repurposed toward another, and that’s exactly what we’re seeing with the Mirai IoT botnet,” he explained.
Sharing the Responsibility
Everyone’s responsible for security on IoT devices, according to the CSA’s Russell.
“Consumers need to make themselves smarter on why security is important,” he told TechNewsWorld. “Industry needs to come together and continue to work out guidelines for securing IoT products.”
Consumers are willing to do their bit, suggested Art Swift, president of Prpl, who cited the foundation’s recent smart home security research.The problem is that they don’t know how, he told TechNewsWorld.
“The IoT will never be truly secure,” Russell said, “but we can start to mitigate many of the risks IoT devices will face.”
The point about educating consumers in regards to security is key. If consumers demand a more secure product, security becomes a selling point and security features will no longer fall to the cutting room floor.