Mirai is exposing a serious security issue with the Internet of Things that absolutely must be quickly handled.
Until a few days ago, I had been seriously considering replacing the 1999 model Apple Airport wireless router I’ve been using since it was gifted to me in 2007. It still works fine, but I have a philosophy that any hardware that’s more than old enough to drive probably needs replacing. I’ve been planning on taking the 35 mile drive to the nearest Best Buy outlet on Saturday to see what I could get that’s within my price range.
After the news of this week, that trip is now on hold. For the time being I’ve decided to wait until I can be reasonably sure that any router I purchase won’t be hanging out a red light to attract the IoT exploit-of-the-week.
It’s not just routers. I’m also seriously considering installing the low-tech sliding door devices that were handed out as swag at this year’s All Things Open to block the all-seeing-eye of the web cams on my laptops. And I’m becoming worried about the $10 Vonage VoIP modem that keeps my office phone up and running. Thank goodness I don’t have a need for a baby monitor and I don’t own a digital camera, other than what’s on my burner phone.
In case you don’t know, Internet of Things security sucks so much it appears as if the IoT folks have taken a time machine back to 1998 to implement Microsoft’s best practices of that era.
The threat of the week — this one actually goes back to early September — is Mirai, which infects network facing devices to form massive botnets. It also seems to be having new capabilities added as we speak. When Brian Krebs was knocked offline in September, followed by the taking down of many of the largest sites on the web in October, Mirai was infecting IoT devices the easy way — by “guessing” passwords, most of which were still set to the device’s default. Now the black hats have morphed the malware to take advantage of security vulnerabilities in specific devices.
Yesterday we learned that just shy of a million Deutsche Telekom subscribers had been taken offline after their routers were infected by Mirai. Today’s news is that the attack has spread to include routers in the UK, Brazil, Iran, Thailand and elsewhere. So far they’re only attacking routers made by Zyxel, taking advantage of a SOAP vulnerability, but there will be other vulnerabilities to exploit in other routers — and webcams, cameras, thermostats, baby monitors, and ironically, home security devices.
“What we see right now is more or less just a tip of the iceberg,” Johannes Ullrich, dean of research at the SANS Institute, has said. “By adding this exploit, Mirai gained access to many more devices then it already had.”
My guess is that there are many more compromised IoT devices than we imagine. We only know about this latest round of attacks against Zyxel due to a screw up in the black hats’ code that knocked exploited routers offline.
Today, InfoWorld quotes Craig Young, a security researcher at Tripwire, as saying: “The malware may have been too demanding on the routers, and overloaded them, so they wouldn’t be able to operate. Someone will fix the bugs in the code. People will also incorporate more exploits related to routers.”
Obviously, Mirai won’t be the last weapon to be added to the script kiddies IoT arsenal. We need to do something and do it quickly unless we want to see the Internet become as reliable as the electricity supply in Port-au-Prince.
This could all be solved with a little regulation on the marketing end. We could codify some “best practices” for software and patching processes, and require that source code for software in any IoT device be submitted and approved before an IoT device can be brought to market. This would protect the home inventor or hobbyist from having to jump through a mountain of red tape before hooking a DIY SBC-based device to the Internet, while making sure that the likes of Cisco, Cannon and Carrier don’t unleash tens of millions of devices on an already overburdened Internet.
Meanwhile, I’ll stick with my old 1999 Airport for as long as it continues to work, since I can’t guarantee that a new router would be any safer. It’s a crap shoot, and I don’t gamble.