News
Source Code for IoT Botnet ’Mirai’ Released : Expert comment
October 2016 by Stephen Gates, chief research intelligence analyst at NSFOCUS
The source code that powers the IoT botnet "Mirai" responsible for launching the DDoS attack against KrebsOnSecurity last month has been publicly released by Hackforums.
Mirai spreads to vulnerable devices by continuously scanning the Internet
for IoT systems protected by factory default or hard-coded usernames and
passwords. This virtually guarantees that the Internet will soon be flooded
with attacks from many new botnets powered by insecure routers, IP cameras,
digital video recorders and other easily hackable devices.
Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS, comments:
"Why do many IoT devices use default passwords? Simple, when
manufacturers build this type of technology they make it as “user-friendly”
as possible. Just plug it in and often it works. The real intention of
the decision to ship every device with the same username/password is
primarily designed to reduce customer support calls; which costs
manufacturers money. Most of these IoT devices ship with the username of
“admin” and the password is the word “password”. Simply entering
admin/password gets you in. Some vendors may use different default
combinations, but once you know what vendor does what, it’s easy from
there. If people don’t change the password when the device is installed,
it will continue to use the factory default of “password” in many cases.
The solution to this is simple. Manufacturers must do a better job of
either insuring that each device has a unique default password, or they
must force users to change the password once the default is entered, when
the device is first installed. One way of ensuring that each device has a
unique password is to etch the devices’ default username and password on
the unit itself. Even if a user did not change the default password, a
hacker would have to gain physical access to the unit to determine its
default username/password combination. This would go a long way to
solving that problem if every device shipped with a different combination
of login credentials.
If this problem is not solved on a global scale, Mr. Krebs is correct.
Soon we may see DDoS attacks that are capable of taking down major portions
of the Internet, as well as causing brownouts, creating intolerable
latency, or making the Internet unusable. This is all collateral damage
caused by a failure of good judgement by using the same factory default
passwords on IoT devices in the first place."
