The first of many IoT attacks
Yesterday, a lot of major sites went down and a majority of users in the United States experienced slow internet speeds. There has been a major DDoS attack by botnet called Mirai. DDoS attacks are not new but this one seems to be on an unprecedented scale. And Internet of Things is to blame.
Internet of Things is not a new concept. It has been around since the late nineties and increasingly getting more pervasive. Lot of home and industrial devices are now becoming smart and eventually all things at home, in the city and at the workplace will be internet connected and just things, not smart things.
Previously only networked computers were part of botnets. Now a lot of other things (printers, gas meters, bulbs etc) have a chip and, are connected to the web (i.e.computers themselves) and they are being roped in to be the part of botnets too. The best part of adding these things to botnet is that they almost never get anti virus checks and they are so many more than computers. Also, as you will see in the articles about Mirai, they have stupid username/password factory defaults which very few bother changing.
My first reaction when I read about Mirai, its recent public release and yesterdays DDoS attack was “You fools!”. Or rather “We are fools”. Because we all have known this was going to happen, sooner than later.
Three and half years ago a benevolent anonymous hacker researching the expanse of internet created a bot called Carna. They released terabytes of research data showcasing the extent of Internet devices, their security flaws and competing botnets. The people who created Carna disabled a malicious massive botnet like Aidra which was a precursor to Mirai. All articles talked about illegality of this research was and the thousand years the researchers would spend in jail but very little in solving the issues and holding the manufacturers accountable for poor device securities and myriad vulnerabilities. Many scholars like Phil Howard have written about Carna and possible solutions. However nothing significant has emerged. All devices ranging from our home routers to industrial machinery with embedded chipsets are still very much vulnerable with the same old nominal security.
I think IoT is going to have a big spotlight moment here like Bitcoin did when SilkRoad was taken down. But unlike Bitcoin IoT is not fringe. IoT has been emerging since the first wifi printer, internet connected gas meters etc. Along with the stringent laws we have (or are trying to pass) which ensure the privacy of user data, I believe manufacturers should also be held accountable to variable standards of safety based on how critical connected devices they manufacture are going to be. The fate of our virtual health and safety lies on this among other things and Mirai is just the first of many infections we are going to fight.