Internet of Things bracing for Mirai botnet expansion

October 3, 2016 // 9:51 a.m.

Tags: #botnet #brian-krebs #ddos #denial-of-service #insecurity #internet-of-things #iot #malware #mirai #security #stephen-gates #vulnerability

Security experts are warning of a potential increase in distributed denial of service attacks (DDoS) powered by Internet of Things (IoT) products, from IP cameras to thermostats, following the release of the Mirai botnet source code.

The Internet of Things (IoT), the latest name giving to what is essentially a mixture of machine-to-machine (M2M) communications and adding 'intelligence' in the form of embedded computers to everyday objects, brings plenty of good into people's lives. From being able to unlock your front door with your smartphone or adjust the temperature of your heating system before you even get home, IoT products are designed to make life easier. In their rush to get to market, however, many manufacturers are failing to keep their users secure. Many IoT devices are based on outdated operating systems with known security vulnerabilities running code that has never been properly tested for its robustness, often with default and baked-in username and password combinations; few of these, too, are ever updated by companies.

The potential for malicious misuse of IoT devices, which by their very nature can run code and are connected to the internet, was adeptly proven by the Mirai botnet which has been responsible for some of the largest distributed denial of service (DDoS) attacks in history. Now, the source code for that botnet is publicly available, having been released on the Hackforums site over the weekend.

'My guess is that (if it’s not already happening) there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems,' predicated Brian Krebs in a report on the source code release this weekend. 'On the not-so-cheerful side, there are plenty of new, default-insecure IoT devices being plugged into the Internet each day. Gartner Inc. forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected each day, Gartner estimates.'

'Manufacturers must do a better job of either insuring that each device has a unique default password, or they must force users to change the password once the default is entered, when the device is first installed,' added Nsfocus chief intelligence analyst Stephen Gates. 'If this problem is not solved on a global scale, Mr. Krebs is correct. Soon we may see DDoS attacks that are capable of taking down major portions of the Internet, as well as causing brownouts, creating intolerable latency, or making the Internet unusable. This is all collateral damage caused by a failure of good judgement by using the same factory default passwords on IoT devices in the first place.'
Discuss this in the forums