The distributed denial-of-service (DDoS) attack last Friday via an army of infected webcams, DVRs, and other systems, that crippled a large chunk of the Internet's domain name system (DNS) served as a wake-up call after years of research and warning about vulnerable consumer and embedded devices.
It also led to a rare mea culpa by a consumer networked-device manufacturer: Hangzhou Xiongmai Technology Co Ltd, the Chinese maker of electronics for some of the surveillance cameras hijacked by the so-called Mirai botnet used in the attack against DNS provider Dyn, reportedly said it will recall some of its affected products. The firm plans to ratchet up authentication as well as patch devices manufactured prior to April 2015, according to a Reuters report.
Even so, a recall is far from the solution to cleaning up the botnet pollution, especially in the Internet of Things space, security experts say.
"The trouble with hardware that has been hijacked for Mirai is that the devices are 'white label' goods, produced by an unbranded manufacturer for third-party companies," Sophos' principal research scientist Chester Wisniewski said in a blog post today. "The Chinese company that made the hijacked devices, XiongMai, almost certainly has no way of knowing which companies have rebranded and sold its insecure cameras, and thus who the end users are. That makes it pretty much impossible to recall them."
IoT devices—everything from home routers to webcams and smart fridges—are well-known easy security targets. Aside from the "white label" component issue, most of them come with default authentication and no security features. The bot-infected army of IoT devices pummeled Dyn and crippled major websites such as Okta, Pinterest, Reddit, and Twitter, last Friday and left websites either inaccessible or with slow-loading pages for some users.
But the attackers behind the DDoS, the origin of whom are still being investigated, did not have to do any sophisticated hacking to recruit their IoT devices. Finding vulnerable IoT devices wide open to the public Internet is easy.
Vikas Singla, co-founder and chief operating officer of stealth startup Securolytics, says his firm discovered that two basic factors contributed to the Mirai botnet's formation. First off, they found that some IoT devices, including webcams, routers, and DVRs, literally broadcast their model numbers and software version information when you connect to them online. "IoT devices tell you what they are … servers don't do that," notes Singla.
Securolytics, which provides scans for healthcare and financial services industry of IoT vulnerabilities in their networks, also found that IoT devices used in the Mirai botnet use just one popular IoT default credential: "root."
Mirai basically searches for telnet protocol availability, checks for default credentials, and when it finds a match, logs into those devices and uses them for DDoS'ing purposes. CCTV cameras are most often exploited by Mirai because many of these devices rely on default credentials. The botnet malware specifically controls the BusyBox software often found in IoT devices.
The Sept. 20 DDoS via Mirai on KrebsOnSecurity reached around 620 Gbps in size, which broke DDoS records in terms of power. The botnet malware's author later dumped the Mirai source code online.
Meanwhile, Dyn has confirmed that the DDoS attack came in three waves last Friday, and used tens of millions of IP addresses across different locations. "We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack," Kyle York, Dyn's chief strategy officer wrote in a post.
Dyn said the DDoS campaign began at around 7:10 am Eastern and concluded around 1:45 pm Eastern.
While all's been quiet on the Mirai DDoS front since then, security experts say this was only the beginning for IoT-based botnet attacks.
"It's going to continue to happen," says Doug Morgan, chief data scientist at Securolytics.