Two weeks ago, we predicted that distributed denial-of-service (DDoS) attacks using Internet of Things Botnet armies would become more frequent and more severe. Unfortunately, these predications are quickly coming true. On October 21st, a massive DDoS attack was launched against New Hampshire-based DNS provider, Dyn. Hackers used a publicly available Mirai source code to create a Botnet army and infect an estimated 500,000 or more devices, overwhelming Dyn with enormous amounts of junk traffic. Major websites who use Dyn, like Amazon, Twitter, Spotify, and Netflix, were brought down for hours. What’s worse, these compromised devices remain accessible to hackers. An IoT device could be anything from a CCTV camera to a printer. The devices often have weak passwords, as most manufacturers and users are not concerned with securing their products. Many of the devices used in the attack were products of the Hangzhou Xiongmai Technology of China, and the company is now recalling some of its devices, and issuing patches for others.
“In all, there are 68 username and password pairs in the botnet source code. However, many of those are generic and used by dozens of products, including routers, security cameras, printers and digital video recorder (DVRs),” said security researcher Brian Krebs, whose site was recently victim of a similar attack that used the same Mirai source code.
It is logical that both manufacturers and users should work to upgrade security on IoT devices, but there is a strong lack of market incentive. There is no legislation in place to deal with the threat of an IoT world, (though the EU is trying to change that) and companies have no monetary or legal incentive to regulate safety in these products.
“Right now there’s not much financial impact if you ship insecure software,” said Dan York, DNS security program manager for the Internet Society.
For users uneducated on the severity of the problem, or on how IoT devices can make their homes unsecure, there is also little incentive to improve security measures.
It is critical that users change the generic username and password that comes with their IoT device, but this step is often overlooked because users are either not motivated to change the password, they are unsure how to change the password, or, as with some devices, it is not possible to change the default password at all. The only way to truly ensure that all IoT devices with security flaws are 100% secure is to unplug them, and of course it is unreasonable to unplug all the devices in existence. Thus, IoT devices remain vulnerable to even more attacks, without an immediate solution.
“I truly think this IoT infrastructure is very dangerous on the whole and does deserve attention from anyone who can take action,” said Allison Nixon, Director of Research at Flashpoint.
For tips on how to keep your IoT device secure, click here.