Experts are warning of a new wave of IoT botnet-based DDoS attacks following two of the biggest ever seen in recent days, after source code for the Mirai malware was released online.
A user going by the moniker “Anna-senpai” leaked the data onto the Hackforums site on Friday, according to KrebsonSecurity, which was taken out by a 620Mbps attack facilitated by Mirai days before.
The malware apparently works by scanning the web for IoT devices which are only protected by factory default or hard-coded credentials. Once identified and infected, they’re co-opted into a botnet which can be directed to launch DDoS attacks at will.
The black hat who released the code claimed to be doing so in response to improved security from the internet community.
“With Mirai, I usually pull max 380k bots from telnet alone,” they claimed. “However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”
Stephen Gates, chief research intelligence analyst at NSFOCUS, argued that unless IoT device manufacturers improve security, these kinds of DDoS could take out large parts of the internet and cause crippling brownouts.
“The solution to this is simple. Manufacturers must do a better job of either ensuring that each device has a unique default password, or they must force users to change the password once the default is entered, when the device is first installed,” he argued.
“One way of ensuring that each device has a unique password is to etch the devices’ default username and password on the unit itself. Even if a user did not change the default password, a hacker would have to gain physical access to the unit to determine its default username/password combination. This would go a long way to solving that problem if every device shipped with a different combination of login credentials.”
Reiner Kappenberger, global product manager at HPE Security, added that security is often an afterthought in the race to commercialize products.
“For those manufacturing devices they should consider things like a data-centric security approach that helps prevent data leakage and access – in order to protect their customers properly,” he argued.
“Innovative technologies such as industry-standard format-preserving encryption can protect data, at the data level, in the IoT mobile applications, in connected devices and in the enterprise back-end system.”
Despite the perception amongst manufacturers that consumers favor usability and low cost above security, a recent prpl Foundation report claimed 42% of global consumers would pay a premium for more secure devices. Nearly one third (32%) said security concerns prevent them from buying IoT kit.