According to one estimate, 70 percent of all IoT devices contain at least one serious code flaw. So real is this threat that the US Federal Bureau of Investigation warns that IoT devices pose an opportunity for cyber crimes against both individuals and businesses.
By James Lee
Science fact and science fiction have a love/hate relationship. Count the number of times when the evil-doer hell-bent on humankind’s destruction is a computer or network. (Go ahead, I’ll wait, but it will take a while.) Fortunately, the ability to connect a random series of devices to launch a nuclear strike a ‘la Terminator is still fiction.
Having someone with the ability to take over more than one million webcams and DVRs to form a network with the sole purpose of creating chaos, now that’s science fact.
A Quick Recap
Ace cybersecurity journalist Brian Krebs attracts the ire of unknown attackers in mid-September. Said attackers construct a botnet of one million IoT devices, then launch the largest DDOS attack network security provider Akamai has seen – by a factor of 2x. All for the purpose of knocking Krebs’ website off the internet.
Two weeks later, the hacker responsible for creating the “Mirai” malware that allows the creation of botnets at scale, on the fly — releases the malicious code into the wild. Mirai – ironically Japanese for “the future” – uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices, according to the US-CERT.
A month after the attack on Krebs, CERT issues Alert (TA16-288A) with advice on how to mitigate Mirai’s effect on devices – disconnect, reboot, and change the password – and how to prevent devices from being enslaved in the future. (Or by “the future” as the case may be.)
Two days later, an even larger scale Mirai attack is directed at internet infrastructure company DYN, effectively shutting off access in parts of the US to major websites such as Amazon, Netflix, and Twitter.
Once again the culprit turns out to be a legion of consumer devices, including routers , DVRs and webcams according to security management firm Flashpoint.