The massive distributed denial of service (DDoS) attack that cut consumers off from their favorite web haunts recently was the loudest warning yet that cyber criminals can be expected to take full advantage of gaping security flaws attendant to the Internet of Things (IoT).
For much of the day, on Friday, Oct. 21, it was not possible for most internet users to consistently access Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit and PayPal.
Using malware, dubbed Mirai, an attacker had assembled a sprawling network of thousands of hacked CCTV video cameras and digital video recorders, then directed this IoT botnet to swamp the marquee web properties with waves of nuisance pings, thus blocking out legitimate visitors.
See also: Insurance and the Internet of Things
Mirai is designed to take over lightweight BusyBox software widely used to control IoT devices. The source code for Mirai can be found online and is free for anyone to use. ThirdCertainty asked Justin Harvey, security consultant at Gigamon, and John Wu, CEO of security startup Gryphon, to flesh out the wider context and discuss the implications. The text has been edited for clarity and length:
ThirdCertainty: Why do you think these attackers went after BusyBox systems?
Wu: Because Busybox is lightweight; it’s used on most IoT devices that have limited memory and processing. Busybox is a utility with lots of useful commands.
Harvey: BusyBox is very standardized. It is highly used in the field, and it also runs Linux, so the internals are very straightforward and easy to duplicate in testing systems.
3C: How did the attacker locate so many vulnerable devices?
Wu: Standard IP scanning would identify the devices, and then the attacker could use the admin interface to install the malware. These devices had weak default passwords that allowed hackers to install Mirai.
Harvey: Cross mapping manufacturers with types of devices. Then using the website Shodan to get a list of open devices. Once they had the list of devices, they could create a massively parallel script to step through each and determine whether they used the version of the OS they wanted.
3C: How many devices did they need to control to carry out three waves of attacks over the course of 12 hours?
Harvey: 300,000 to 500,000.
Wu: Probably a few hundred thousand devices. Because it’s distributed, there is no way to simply block all the IP addresses.
3C: Are there a lot of vulnerable devices still out there, ripe for attack?
Harvey: Yes! Shodan specializes in noting which devices are out there and which are open to the world. The devices used in this attack were but a small fraction of open or insecure IoT devices.
Wu: We don’t know exactly how many devices are still out there as sleeper bots. Mirai also is actively recruiting new bots. From what I understand, these IoT devices had open channels, and the users had practiced poor password protection for root access to install additional components.
3C: What do you expect attackers to focus on next?
Wu: I would expect the attacks to get larger and more sophisticated. Mirai also is working in the background to recruit more devices. The next attack may not be as public because they’ve already shown what the botnet network is capable of.
3C: What should individual consumers be most concerned about at this point?
Harvey: Consumers need better education on changing the default access and security controls of their IoT devices. Manufacturers need to take security seriously. Period. Congress needs to step in, conduct some hearings on IoT issues and perhaps regulate these devices.
Wu: Consumers need to be concerned if their device is one of the devices already compromised or at risk of being compromised. They should contact the manufacturer to ask if a security patch is available. A simple solution would be to take the device offline, if it’s something you can live without.
3C: What is the most important thing company decision-makers need to understand?
Wu: If you are dependent on the internet for your revenue and business, you should be planning alternative communication channels. If DNS is critical to your business, you should look at backups to just one service provider. Let people know that, if email is down, you can still get business done over the phone.
Harvey: Businesses need to understand the implications to running IoT devices within their companies and question the business need for using IoT devices versus the convenience.
This article originally appeared on ThirdCertainty.