Over the weekend, the code that used huge numbers of IoT connected devices to form a
botnet, and attack websites with a DDoS attack, was been released by its author. The
malware, named 'Mirai', is a DDoS Trojan and targets Linux systems and, in
particular, IoT devices.
The author of the Mirai DDoS Trojan, which was used to attack Brian Krebs' website
back on 20th September, has published the source code of his malware following
intense pressure from security researchers.
Stephen Gates, chief research intelligence analyst at NSFOCUS, comments:
"Why do many IoT devices use default passwords? Simple; when manufacturers build
this type of technology they make it as “user-friendly” as possible. Just plug
it in and often it works. The real intention of the decision to ship every device
with the same username/password is primarily designed to reduce customer support
calls; which costs manufacturers money. Most of these IoT devices ship with the
username of “admin” and the password is the word “password”. Simply
entering admin/password gets you in. Some vendors may use different default
combinations, but once you know what vendor does what, it's easy from there. If
people don't change the password when the device is installed, it will continue to
use the factory default of “password” in many cases.
The solution to this is simple. Manufacturers must do a better job of either
insuring that each device has a unique default password, or they must force users to
change the password once the default is entered, when the device is first installed.
One way of ensuring that each device has a unique password is to etch the devices'
default username and password on the unit itself. Even if a user did not change the
default password, a hacker would have to gain physical access to the unit to
determine its default username/password combination. This would go a long way to
solving that problem if every device shipped with a different combination of login
credentials.
If this problem is not solved on a global scale, Mr. Krebs is correct. Soon we may
see DDoS attacks that are capable of taking down major portions of the Internet, as
well as causing brownouts, creating intolerable latency, or making the Internet
unusable. This is all collateral damage caused by a failure of good judgement by
using the same factory default passwords on IoT devices in the first place."
Reiner Kappenberger, global product manager at HPE Security - Data Security, comments:
“The IoT space has become a hot market where companies need to enter quickly with
functionality to be considered leading the space. However with that approach where
functionality is the leading indicator comes the risk that security measurements are
pushed to the back of the development cycle and frequently then dropped in order to
release a product. While some of these are easy to fix the problem can lead to new
entrants into the market running out of business due to security not taking an equal
position to features during development.
The current lack of guidance and regulations for IoT device security is one of the
bigger problems in this area and why we see breaches in the IoT space rising.
Companies rush product to market that have been developed by teams that are solely
focusing on functionality. They use protocols and tools that have not been
thoroughly vetted from a security standpoint as the small amount of storage in those
devices poses limitations to the software elements they can use. Companies entering
this space need to think about longer term impact of their devices. Typically
computers have a lifespan of a few years. However IoT devices may be around for 10+
years before being replaced – especially in home networks. Companies working in
this market need to consider this fact as over the years we have seen a constant
flood of vulnerabilities in the tools being used and those systems need to be
updated to patch those security flaws. As shown by this latest development, this is
a broad problem that manifests itself on many IoT devices with extremely damaging
results.
Consumers that venture into the IoT space should identify the security measurements
that have been taken to secure the device and ask about the long term support for
the product. A breach in the IoT device can easily move to other systems – i.e.
the home computer – and attackers would then be able to steal valuable personal
information such as bank account information and credentials as they are now behind
any firewall that the user might have and the whole home network usually is
unprotected in home environments. People still take home network security to lightly
and should take broader measures to secure themselves.
For those manufacturing devices they should consider approaches like a data-centric
security approach that helps prevent data leakage and access – in order to protect
their customers properly. Innovative technologies such as industry-standard
format-preserving encryption can protect data, at the data level, in the IoT mobile
applications, in connected devices and in the enterprise back-end systems. And while
this research looked at consumer/home networks, there are parallels to the
widespread use of connected devices throughout the enterprise so it's incumbent on
all types of technology consumers to take control of their security.”