While the precise form of Mirai’s attacks is not new, the scale of these volumetric attacks is unprecedented. The weak security of many IoT devices provides an attractive target for DDoS attackers, leveraging the bandwidth and processing resources of millions of connected devices. Botnets are frequently referred to as “zombie computers” and the metaphor is fitting: bad actors infect unsuspecting computers and network devices with malware, sending remote commands to hordes of compromised computers. Analysts have also noted the dynamic nature of Mirai Command and Control (C&C) servers (platforms used by attackers to send these remote commands to the botnets), with the malicious operator or operators switching C&C servers far more rapidly than in past botnet attacks. The United States Computer Emergency Readiness Team (US-CERT) notes in its alert that the release of the Mirai source code has increased the risk of similar botnets being created, acknowledging at least one new separate malware family leveraging IoT vulnerabilities in a manner similar to Mirai.
Mirai’s efficacy depends, in large part, on the unacceptably low level of security inherent in a vast array of network devices. Attackers perform wide-ranging scans of IP addresses, searching for devices with poor security features such as factory default or hard-coded (i.e., unchangeable) passwords, publicly accessible remote administration ports (akin to open doors), and susceptibility to brute force attacks. In my June 6th letter to the Federal Trade Commission (FTC), I raised serious concerns with the proliferation of these insecure connected consumer products, noting that the “ever-declining cost of digital storage and internet connectivity have made it possible to connect an unimaginable range of products and services to the Internet,” potentially without adequate market incentives to adopt appropriate privacy and security measures. Juniper Research has projected that by the end of 2020, the number of IoT devices will grow from 13.4 to 38.5 billion – yet there is no requirement that devices incorporate even minimal levels of security. The internet’s open architecture has been a catalyst for its growth, allowing an enormous range of devices and services to connect to a global, interoperable network. The lack of gating functions, however, has potentially created a systemic risk to the resiliency of the internet.
Additionally, the global nature of the supply chain for such devices requires attention not just to the final product integrator’s practices, but also to that of suppliers throughout the manufacturing process. In the recent Mirai botnet, researchers have identified a single software supplier as responsible for vulnerabilities in a wide range of manufacturers’ products, with Flashpoint concluding that over 500,000 connected devices were vulnerable to Mirai because of an exploitable component from a single vendor’s management software. Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support. And buyers seem unable to make informed decisions between products based on their competing security features, in part because there are no clear metrics. Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none. Further, buyers have little recourse when, despite their best efforts, security failures occur.
Sign up for Computerworld eNewsletters.