Exposing the lackluster security of countless IoT devices, new source code reflects a bias towards consumer-class inexperience, which unfortunately carries enterprise-class implications for everyone.

Mirai malware has become a humongous Internet of Things (IoT) menace recently, descending upon the threat landscape with a succession of record-breaking attacks. The first attack this year struck investigative security journalist Brian Krebs' website with a distributed denial-of-service (DDoS) campaign that crested at approximately 620 Gbps, the largest DDoS attack ever seen on the Internet.

Two weeks after the Krebs' website attack, French ISP OVH experienced a 1 Tbps attack.

Douglas Bonderud stated at IBM’s SecurityIntelligence blog:

"In both cases, this traffic is orders of magnitude greater than what is required to knock out a website. It was made possible by a combination of the sheer number of IoT devices now connected to the Internet and the lackluster security associated with most of these products."

On the heels of the OVH attack, bad actor mindsets switched gears to DNS provider DYN, who suffered massive east coast service disruptions, making it difficult for users to reach Github, Netflix, Reddit, Soundcloud, Twitter and many others. This attack was significant. If you take out a DNS provider, you knock off more than the primary target.

According to a new report by the Institute for Critical infrastructure technology: "A perfect storm is brewing." The report underscores how “script kiddies and cyber-criminal gangs are already drastically expanding their control over vulnerable IoT devices, which are enslaved to malicious purposes and can be contracted in DDoS-for-Hire services by a virtually unlimited number of actors for use in an infinite variation of layered attack methods.”

The report further accentuates this warning:

”As the adversarial landscape of nation-state and mercenary APTs, hacktivists, cybercriminal gangs, script kiddies, cyber caliphate actors, and hail-mary threat actors continues to hyperevolve, America’s treasure troves of public and private data, IP, and critical infrastructure continues to be pilfered, annihilated, and disrupted, while an organizational culture of Participation Trophy Winners managed by tech neophyte executives continue to lose one battle after the next.”

In November, 900,000 Deutsche Telekom customers were knocked offline when malicious hackers drafted vulnerable Zyxel and Speedport routers into a botnet. Graham Cluley stated at WeLiveSecurity’s blog:

“In this particular case, an attack was able to fool the vulnerable routers into downloading and executing malicious code, with the intention of crashing or exploiting them. Compromised routers could then be commanded to change their DNS settings, steal Wi-Fi credentials, or bombard websites with unwanted traffic.”

Source code leaked

In October, Hackedforums user Anna-senpai released the source code for Mirai. Level 3 Communications says this leak “inspired a significant number of new bad actors, all working to exploit similar pools of vulnerable devices.”

With the cybercriminal underground both impressed and inspired by the sheer volume of IoT attack possibilities available to them now, there is little doubt that the leaked source code will be a major game changer in the months to come.

Avoid lackluster security practices

Imperva Incapsula recommends device owners do the following to prevent the IoT botnet from spreading:

  1. Stop using default or generic passwords.
  2. Disable all remote (WAN) access to your devices. To verify that your device is not open to remote access, you can use this tool to scan the following ports: SSH (22), Telnet (23) and HTTP/HTTPS (80/443).

“With over a quarter billion CCTV cameras around the world alone, as well as the continued growth of other IoT devices, basic security practices like these should become the new norm. Make no mistake; Mirai is neither the first nor the last malware to take advantage of lackluster security practices.”

The Internet of Things is definitely giving the security world a healthy blast of disruption this year. Like a ticking time bomb, IoT detonators just happen to come in the form of billions of devices.