A type of Malware called Mirai that can be used to create an IoT botnet is now available for download online. The malware can be used to launch DDoS attacks on e-commerce websites, bringing those businesses to a halt. This is a huge risk for e-commerce sites, and could cause chaos over the holiday period. Worst of all? Since the source code for the malware was leaked to the net last week, cybersec experts have noticed a marked rise in its use.
The Mirai malware is designed to exploit an existing vulnerability within IoT devices that has been understood for some time. There are millions of IoT devices on the market that are misconfigured and set to forward messages via the Transmission Control Protocol (TCP). Often, when people buy IoT devices they do not update the factory settings with the necessary password to protect those devices.
It is these leaky IoT devices that are being exploited by hackers to launch attacks, including DDoS attacks on ecommerce businesses. The powerful malware has already been used to launch some of the most savage DDoS attacks ever seen. Last week, Google had to step in to help protect the KrebsOnSecurity website from an incredible 620Gbps DDoS attack. That is massive, but is just one example of how DDoS attacks get worse year on year – without fail.
The attack on Krebs isn’t the biggest recent attack, either. Since security expert Brian Krebs was attacked last week, an even bigger attack has taken place on the French web host OVH. That attack surged at a rate of between 1Tbps and 1.5Tbps – staggeringly enormous. Those DDoS attacks on websites are unprecedented, and are directly linked to the use of the IoT botnet malware Mirai.
How does it work?
Ryan Barnett, a security researcher at Akamai has explained the details. His firm noticed that attacks were coming from a huge number of IP addresses. This coupled with the fact that customers of its content delivery system were having their sites systematically checked for existing password combinations, brought the problem to light.
It is believed that those passwords are the spoils of major hacks like the one at Yahoo. The stolen passwords are often sold off on the deep web, and it is thought that they are now being tested on other websites (due to the fact that that people often use the same password for multiple logins). Barnett comments,
‘They were all formatted exactly the same, except that the username and password was different. So we knew that this was probably being controlled by a single entity that was launching these attacks.’
It was the realization that all those IP addresses were being controlled by a single hacker that led Akamai’s team to discover the IoT botnet,
‘Because we were able to see this across all these different customers, we were able to see the same IP addresses hitting multiple websites. When we mapped them back, that’s when we were able to see that these were IoT systems.’
Barnett has gone on to explain that the problem itself can be traced back to security flaws in the IoT products that are being exploited by Mirai.
Firstly, IoT products often ship with a default login such as ‘admin’. This allows them to easily be made part of the botnet.
The discovery is further evidence that IoT products need to be managed more effectively. Barnett’s team says that manufacturers must be forced to make IoT consumers update those setting before the product will fulfill its purpose. Default settings must be abolished in favor of a compulsory initial setup procedure.
The second problem is the aforementioned TCP settings used in IoT products. Transmission Control Protocol is a Linux-based feature that IoT devices ship with. It is that message forwarding protocol that is exploited by the Mirai malware using the default admin passwords. During attacks, message forwarding is used to hide the origin of the onslaught by rapidly spreading the messages through the IoT botnet.
Consumers at fault?
The solution is for end users of IoT products to update their devices’ passwords. The problem, however, is the sheer amount of IoT products that have already been sold. That number, combined with a general lapse of security amongst the world’s consumers, spells disaster.
Often people buy IoT products like kettles or thermometers and simply plug and play, without ever checking the manual – nevermind updating default passwords. If the IoT device does what the consumer hoped it would, that user is under the illusion that they have no cause for concern.
What the Mirai software teaches us is that IoT products can be harnessed – on masse – to carry out attacks on third parties: Without IoT consumers ever having a clue that they are involved. With the security problem so extensive, and consumers unlikely to suddenly become conscientious, the burden of responsibility has to lay with manufacturers. Only IoT device makers can effectively tackle the problem going forward.
As for the devices in people’s homes, that are already being exploited? That problem is here to stay, and if last week’s sudden uptake of the Mirai malware is anything to go by then we might be in for quite the bumpy ride this holiday season.