Mirai attack on German routers presages global cyber threat

Experts weigh in on security failures of Internet of Things heading into new year

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The lat­est sig­nal that we are expe­ri­enc­ing the ear­ly stages of the weaponiza­tion of the Inter­net of Things unfold­ed last month in Europe, draw­ing scant atten­tion here in the Unit­ed States.

On Nov. 28, an attack­er man­aged to infect near­ly 1 mil­lion home routers used to access Deutsche Telekom’s inter­net ser­vice, dis­rupt­ing web access for some 5 per­cent of the cus­tomers of Germany’s largest tele­com company.

The mal­ware the attack­er used was from the “Mirai” fam­i­ly of hack­ing code. Secu­ri­ty researchers only recent­ly dis­cov­ered Mirai cir­cu­lat­ing in the inter­net wilds. Mirai is dis­tinc­tive in that it is designed specif­i­cal­ly to locate IoT devices and then exe­cute a self-spread­ing rou­tine. Mirai’s core pur­pose is to rapid­ly put tens of thou­sands of infect­ed devices under the con­trol of one attacker.

Relat­ed video: As Inter­net of Things expand, so do risks

That attack on Deutsche Telekom was the sec­ond major Mirai-fueled dis­rup­tion in less than a month. On Fri­day, Oct. 21, some­one used a vari­ant of Mirai to take con­trol of hun­dreds of thou­sands of web­cams, dig­i­tal video recorders and home routers, then direct­ed those devices to bom­bard domain name provider, Dyn, with nui­sance requests, clog­ging up Dyn’s sys­tems and caus­ing it to crash.

That clas­sic denial-of-ser­vice (DDoS) attack against Dyn stood out because infect­ed IoT devices were used to inun­date the com­pa­ny with a record 1.2 ter­abytes per sec­ond of nui­sance sig­nals, twice the vol­ume of any pre­vi­ous­ly mon­i­tored DDoS attack. And since Dyn routes traf­fic to Twit­ter, Spo­ti­fy, Net­flix, Ama­zon, Tum­blr, Red­dit and Pay­Pal, those pop­u­lar web­sites were offline for some 12 hours, frus­trat­ing millions.

Clear­ly, con­sumers and com­pa­nies ought to brace them­selves for accel­er­at­ed use of infect­ed IoT devices to car­ry out all man­ner of mali­cious activ­i­ty in 2017. Third­Cer­tain­ty con­vened a pan­el of experts to put the lat­est such attack into a wider con­text. Here’s what they had to say:

Cesare Garlati, prpl Foundation chief security strategist
Cesare Gar­lati, prpl Foun­da­tion chief secu­ri­ty strategist

Cesare Gar­lati, chief secu­ri­ty strate­gist, prpl Foun­da­tion: It’s not sur­pris­ing that this hap­pened to Deutsche Telekom. Most home gate­ways are inse­cure. The prob­lem was that the man­u­fac­tur­er updat­ed its box from pre­vi­ous ver­sions and left a ser­vice nor­mal­ly reserved for car­ri­er use wide open to the internet.

Luck­i­ly, Deutsche Telekom was able to patch the issue, exact­ly the right thing to do. In the future, I hope we see car­ri­ers con­sid­er­ing man­u­fac­tur­ers with high­er secu­ri­ty stan­dards, such as those out­lined in our Secu­ri­ty Guid­ance for Crit­i­cal Areas of Embed­ded Com­put­ing doc­u­ment. And tips to make it more dif­fi­cult for attack­ers to tar­get IoT devices in the home can be found in our Smart Home Secu­ri­ty Report.

Jonathan Sander, Lieberman Software vice president of product strategy
Jonathan Sander, Lieber­man Soft­ware vice pres­i­dent of prod­uct strategy

Jonathan Sander, vice pres­i­dent of prod­uct strat­e­gy, Lieber­man Soft­ware: Secu­ri­ty pros have warned about mil­lions of inse­cure home routers for years. What has changed is the arrival of the Mirai exploit tar­get­ing these routers and oth­er IoT devices. Mirai is to IoT attacks what the assem­bly line was to the indus­tri­al rev­o­lu­tion. We should expect to see bad guys man­u­fac­tur­ing attack after attack with it.

In the Deutsche Telekom case, the attack­er may have set up Mirai incor­rect­ly. But not every attack­er will get Mirai wrong and save the day for them. And those years of unheed­ed warn­ings about the poor secu­ri­ty of IoT means most ven­dors are way behind the problem.

The good news is the solu­tions aren’t hard to fig­ure out. They must auto­mate the soft­ware updates to the devices, pro­vide a means to set bet­ter defaults and man­age the device pass­words. But the scale and com­plex­i­ty for those solu­tions may make it cost­ly. Com­pa­nies face the clas­sic choice about spend­ing on good secu­ri­ty. It’s hard to sell the ben­e­fit of some­thing peo­ple don’t notice, even if the risk is some­thing that they will notice when it caus­es them a lot of pain.

Rod Schultz, Rubicon Labs vice president of product
Rod Schultz, Rubi­con Labs vice pres­i­dent of product

Rod Schultz, vice pres­i­dent of prod­uct, Rubi­con Labs: With this attack and with Mirai you are begin­ning to see the dan­gers with ‘break once, break every­where’ tech­nol­o­gy. You have an ecosys­tem of routers that are host­ed by Deutsche Telekom that have lit­tle dig­i­tal diversity—same hard­ware, same soft­ware. An exploit on one router works on all routers, so there is a cas­cad­ing effect that brings down the network.

Man­age­ment of devices is sim­pler when they are all the same, but that sim­pli­fi­ca­tion also can be lever­aged by attack­ers to com­pro­mise the sys­tem. To be clear, this is not a sim­ple prob­lem to fix, and that secu­ri­ty chal­lenge is going to be exploit­ed by attack­ers for many years to come.

Brad Bussie, STEALTHbits Technologies director of product management
Brad Bussie, STEALTH­bits Tech­nolo­gies direc­tor of prod­uct management

Brad Bussie, direc­tor of prod­uct man­age­ment, STEALTH­bits Tech­nolo­gies: The Inter­net of Things will pose the biggest secu­ri­ty threat in 2017. IoT devices were not cre­at­ed with ‘secu­ri­ty first’ and will rep­re­sent sig­nif­i­cant tar­gets for nation states as well as crim­i­nal hack­ers due to known and emerg­ing vulnerabilities.

More sto­ries relat­ed to secu­ri­ty of the Inter­net of Things:
Why more attacks lever­ag­ing the Inter­net of Things are inevitable
Pop­u­lar web­sites knocked down by IoT-enabled DDoS attack
Rip­ples from Inter­net of Things cre­ate sea change for secu­ri­ty, liability

Posted in Cybersecurity, Data Security, Featured Story