The Internet of Things under attack: Was Mirai just the beginning?
In a recent report, the Institute for Critical Infrastructure Technology (ICIT) a US-based think tank warns about future threats we face as a result of increasing numbers of being connected online within the Internet of Things. The report “Rise of The Machines” states that the recent DDoS attacks carried out by a Botnet of thousands of machines infected with the Mirai Malware was just the beginning of what we’re going to see in the future. Additionally, it calls for stricter regulations of IoT devices.
Mirai, a malware specially designed to target IoT devices, struck for the first time on September 20, 2016, attacking “Krebs on Security“, the blog of investigative journalist Brian Krebs who is famous for his coverage on cybercriminals. A month later, on October 21st, the Malware struck again. The Botnet of infected IoT devices turned out various DDos attacks on services like Twitter, Spotify, Github and many more. During such an attack typically the co-opted flood the targeted servers with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests. The result: If the servers cannot withstand the sheer number of requests, the services they normally host become unreachable.
A third attack by Mirai failed. Well, more or less. Hackers tried to exploit a vulnerability in a router also used by thousands of clients of German telecommunication provider Deutsche Telekom to secretly install the malware and have the machines ready for planned attacks. “Unfortunately” the hidden installation of the Mirai malware didn’t go as planned, the routers crashed, resulting in knocking almost a million Telekom clients offline.
Is Mirai a wake-up call for more IoT security?
The ICIT Think Tank however blames Internet Service Providers, IoT manufacturers and last but not least private users for the increase of attacks, carried out by millions of unsecured pieces of hardware connected to the internet. There is already a market in the dark web where cybercriminals deal with “ready-to-use” malware so that criminals don’t even need to have sophisticated programming knowledge to carry out their attacks. The way Mirai gained access was not even very sophisticated. The report states: “Mirai scans a wide range of IP addresses and attempts to gain brute force remote access to under secured IoT devices through a dictionary attack consisting of factory default or generic credentials.”
If your password is still “0000” or “admin”, then it really is an invitation for a hack.
In other words: It just tests any possible combination of characters to gain access to a device. Since people are lazy and often use simple combinations like “1234567” or “qwerty” or just common words, Mirai checks these simple combinations first to gain access quickly. Often users don’t even change the default passwords given to them by the hardware vendor. And if that is “0000” or “admin”, then it really is like an invitation for a hack.
And what does the report say about the “inventor” of Mirai? “Mirai was likely developed by a skilled, but ultimately inexperienced threat actor. Portions of the code, such as Russian strings defining the “username” and “password” fields were likely copied from other malware. In line jokes and comment references to internet memes indicate that the author is young, immature, and proficient in multiple languages.”
But the report warns: Mirai was just the beginning, the IoT malware is evolving. According to ICIT, the aspects of the malware will likely be adopted to accelerate its next generation capabilities. Right now what they call “script kiddies” are already incorporating new credential libraries into the software. Updated IP ranges, target devices, traffic types and other capabilities might expand its attack potential in the near future. The report warns that real threat is about to come when advanced programmers start showing an interest in developing the malware into a sophisticated IoT-attack-platform.
Mirai was likely developed by a skilled, but ultimately inexperienced threat actor. […] In line jokes and comment references […] indicate that the author is young, immature, and proficient in multiple languages. Source: “Rise of The Machines/ICITech.org”
The arms race between attackers and their targets is an old story in the Internet. But with the millions of small and new devices that connect to the Internet each day, the sheer amount of potentially hijacked hardware is indeed a reason not to underestimate security requirements within an IoT ecosystem. But ICIT warns of actionism. “In the wake of the impressive Mirai DDoS attacks, a number of panicked cybersecurity professionals and faux experts have promoted rash short term ‘solutions’ […] One such suggestion is the employment of a controllable computer worm capable of infecting the devices vulnerable to Mirai and either removing the malware or disabling the device. […] This solution does not consider the inevitable eventuality that a malicious threat actor will seize control of the worm or that the intended operation of the worm will have very unintended consequences”. Instead the Think Tank promotes thinking ahead “develop actionable incident response plans. As with all varieties of cybersecurity and cyberhygiene, the key to an organization’s survival in an increasingly hostile threat landscape is preparedness and forethought.”
The report suggests, that the market alone won’t solve the problem. “National IoT regulation and economic incentives that mandate security-by-design are worthwhile as best practices. For the sake of lasting impact instead of a market shift that avoids the regulations, national regulation seems most appropriate.”
The question remains: Could national regulations alone help to secure an international network? ICIT knows that “regulation on IoT devices by the United States will influence global trends and economies in the IoT space. […] Nonetheless, IoT regulation will have a limited impact on reducing IoT DDoS attacks as the United States government only has limited direct influence on IoT manufacturers and because the United States is not even in the top ten countries from which malicious IoT traffic originates.”
What do you think?
Will stronger regulations in the IoT solve the security problem? Will single nations be able to solve a global issue by installing national regulations? How could hardware vendors make their products more secure and at the same time keep the setup simple for customers? How much are private users to blame? We’re open for your comments! Read the full report at icitech.org.