Cybersecurity journalist Brian Krebs and French Internet service provider OVH were attacked in September by a massive distributed denial of service (DDoS) attack from IP-enabled “smart” devices, mostly security cameras. The name of the malware used in the attack is Mirai.(Read more about Mirai on SecurityLedger.com)
The attack was the likes of which hasn’t been seen before in terms of volume. Let’s try to put some scale to this. Akamai reported that until the attack on Krebs, the largest attack they’d ever seen was over 300Gbps. The attack against Krebs peaked at 686Gbps, and OVH claimed a peak of 1Tbps during the attack against them. That’s huge!
The impact of denial of service attacks can be amplified by using different methods to exploit the default behavior of different computer services. These are known as reflection attacks, and the end result is that one attacking device can have the impact of several attacking devices. A reflection attack using 10,000 devices could, then, have the effect of 50,000 or 100,000 attacking devices. The thing to note about last month’s attack is that no reflection techniques were used. That means a massive network of exploited devices (a botnet) was used.
It will only be a matter of time until we see exploited Internet of Things (IoT) devices paired with reflection attacks, and now that Mirai has been made open source, it shouldn’t be too long before we see larger and more sophisticated attacks. Good times.
Now, the kicker of the whole thing is this. Last week, I caught a presentation by Mike Kun from Akamai (you may recall that Mike and his wife Kathryn were on the panel at the first 1NTERRUPT in 2014) about the attack and he reported that Mirai consisted of 62 pairs of hard-coded default credentials. If the credentials weren’t a match, it moved on and looked for a new target. Let that sink in for a moment: Default credentials…
Mirai is not some sophisticated, 0-day exploiting, state-sponsored uber malware. It’s method of propagation would be laughable if it weren’t for the sad fact that the most massive DDoS attack, until that time, could have been averted if owners of these devices just changed the default passwords. To be fair, not all of the blame rests on users. One problem that is becoming painfully evident with IoT devices is that not all device vendors provide an interface to change the password, so even if a device owner wants to be more secure, it’s not possible. Yay…
I’ve heard that in the US there is talk of some requirement or regulation from either the Federal Communications Commission (FCC) or the Federal Trade Commission (FTC) requiring device vendors to provide an interface for users to be able to change the login credentials. Typically, I’m not a fan of government regulation in IT or cyber security matters, but I would support a move from the FTC to establish that requirement of device vendors.
I’ve always contended that we’re each responsible for our own security, and with the dawning of the IoT, we’re also all responsible for each other’s security. Mirai has proven that.