Your IoT toy vs. my freedom
The release of the source code for the “Mirai” IoT botnet has made it more simple for wanna-be hackers to recruit a zombie army and attack a target of their choice, making it also easier for them to damage press freedom and the free access to information that we take for granted.
The question is only who they will attack next – and if your shiny new IoT toys will be part of their army.
In late September, a distributed denial-of-service (DDoS) attack against KrebsOnSecurity forced this leading security news site to go offline. DDoS attacks, most famously described by Graham Cluley as “15 fat men trying to go through a revolving door at the same time” knock sites offline by directing more traffic at them than they can handle.
This particular attack stood out for three interesting details:
- It was huge – clocking in at 665 Gigabits of traffic per second.
- The target was visible – KrebsOnSecurity is one of the top independent sources of security news in the US.
- The attackers were many – the attack came from a botnet army of hacked IoT devices.
Instead of the usual fat 15 men jamming up the doorway, this attack featured a mob of thousands of zombie midgets. The midgets in this case were IoT devices which had been hacked and conscripted into the Mirai botnet.
And there’s more. OVH, the French web hosting company was just hit with two parallel DDoS attacks with a total bandwidth nearing one thousand Gigabits a second. This attacking army was made up of an estimated over 152,000 IoT devices including CCTV cameras and personal video recorders.
The Mirai botnet targeting Krebs finds its conscripts by continuously looking for IoT devices where the factory default username and passwords have been left unchanged. KrebsOnSecurity just published an incomplete list of 68 username and password pairs in the botnet source code, pointing out that many of these are generic and could apply to a manufacturers’ entire product lineup of IoT devices.
And there is more bad news. The source code for Mirai has been released on Hackforum, making it easy for wanna-be hackers to build their own botnet armies. Far from being altruistic, this release is like a kid passing stolen candy around the classroom – it increases the pool of others that can put their hand in the bag.
The cost to a DDoS attack can be huge to the target and to society. The pro bono DDoS protection that Akamai provided to Krebs was valued at over $150,000 – then they threw in the towel. It’s a good thing that Google’s Project Shield was able to step in and enable KrebsOnSecurity to go back online.
The cost to society is more indirect but still substantial. Krebs, as an investigative journalist, is the go-to source for information on data breaches, ATM skimmers, and more. Knocking him offline is a technical form of censorship. While the impact was short this time, more attacks are expected. And next time, it probably won’t be hitting a techie news blogger.
Are you sure that the default settings on all your devices have been changed?