Botnets exploiting loopholes in IoT security will continue unless vendors and network operators step up and work together.
Forgetting to reset default usernames and passwords for connected devices has left the IoT open to botnets initiating large-scale DDoS attacks. Last month, the largest such attack on record took down the website of cyber security expert Brian Krebs.
Most botnets simply rely on infecting enough PCs and harnessing their combined power. But this new malware, dubbed “Mirai,” instead has spread to a host of vulnerable IoT devices by scanning the Internet for systems only protected by default usernames and passwords.
Products such as cameras, digital video recorders, and printers were all successfully targeted due to easily guessable passwords, often not changed from the manufacturer’s default.
Last Friday, the botnet’s source code was released on HackForums. It has since become clear that it’s built to attempt more than 60 combinations of usernames and passwords – often as simple as “admin” and “password” – when searching for and accessing connected devices.
Those combinations were enough to allow the botnet to spread to 380,000 ‘Things’. Mirai hit Brian Krebs’ site with traffic topping out at 620Gbps, and has also been linked to a more powerful DDoS attack against OVH.
It seems a matter of time before more botnets like Mirai will appear, unless vendors can move away from default passwords. In the meantime, SANS Internet Storm Center has suggested that system admins “Consider running the latest version of cowrie on a honeypot to help us keep an eye on the passwords attempted to look for any shifts in the current pattern.”
Cooperation key to defence against botnets
Roland Dobbins, principal engineer at Arbor Networks, pointed out that while vendors should focus on making devices more secure, network operators need to work together to deal with DDoS attacks. He said:
“Organizations can defend against DDoS attacks by implementing best current practices for DDoS defence, including hardening their network infrastructure, ensuring they’ve complete visibility into all traffic from their networks so as to detect DDoS attacks, having sufficient DDoS mitigation capacity and capabilities either on premise or via cloud-based DDoS mitigation services or both, and by having a DDoS defence plan which is kept updated and is rehearsed on a regular basis.”
“In particular, ISP and MSSP network operators should ensure that they participate in the global operational community, so that they can both render assistance when other network operators come under high-volume DDoS attacks, as well as request assistance as circumstances warrant. Active cooperation between enterprise network operators, ISPs, and MSSPs is the key to successful DDoS defence.”