Security journalist Brian Krebs recently suffered a record-breaking DDoS attack to his his website, clocking in at or near a whopping 620 Gbps of traffic. Krebs’ site was down for over 24 hours, and it resulted in him having to leave his CDN behind.
These attacks were launched by a large botnet of hacked devices. Internet of things (IoT) devices, to be specific. And on Friday, September 30, the source for the botnet was released to Hack Forums, and was eventually picked up and mirrored on GitHub. The source code, called Mirai, scans the web for devices with default user names and passwords, or hard-coded credentials. Once it finds a suitable target, it installs malicious software, then reports back home.
The concept behind Mirai isn’t fresh, but the targeted systems are. IoT devices are becoming more and more common in households, and include everything from “smart” refrigerators and smart plugs to thermostats, smoke detectors, and security cameras.
Gartner, Inc. forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected every day.
As these devices become more prevalent, it becomes more and more important for security professionals to turn their attention towards them.
The move towards more security is always a slow one, especially in situations where the manufacturers are not motivated to produce a secure device due to cost. It’s almost always cheaper to release the device and then let the security community report on issues than it is to hire a team to test in-house. With this kind of insecure-by-default design, I think the next few years are going to be an exciting time for pentesters and hackers everywhere. I, for one, can’t wait to write a report explaining how I accessed an internal company network via a toaster.