Each quarter the Akamai team delves into the volumes of data that we have at our disposal. Every time we do so we find something new and exciting, and this last quarter was by no means an exception. You might have heard of a little botnet called Mirai that set the Internet on its ear during the month of October.
What sets Mirai botnet apart from the myriad of other attack platforms that are wreaking havoc across the wilds of the Internet, is that this one was built on compromised Internet of Things (IoT) devices. In previous talks that I have delivered, I would often joke about the possibility of my coffee maker, refrigerator and DVR launching attacks. Little did I realize that the truth of that pun would come to fruition in such short order.
In October 2016, we saw the proverbial table flip happen - attackers managed to enlist the services of unwitting participants from the Internet of Things. The Mirai botnet announced itself to the denizens of the web in a large way when it was used as part of a massive attack against the company, DYN. As a result of the attack DNS services were disrupted for many businesses.
Now, while the headlines were dripping with hyperbole about the rise of the coffee machines, the lede was buried. The miss was in the fact that none of this needed to be this way at all. There was no good reason that the Mirai botnet should have come into being. There was an error in judgement on creators of the aforementioned devices wherein security was overlooked.
One part of the code, which the attackers released, had over 60 different username and password combinations that were default credentials for various IoT related devices. Using telnet to connect to these devices that were inexplicably accessible online, the credentials lead to compromise. Thousands of attack nodes later and I can't help but to wonder why this was even possible. Programmatically it isn't a difficult task to force a password change on initial login. But, here we find literally thousands of devices that were susceptible to a basic security failing.
This is one of the more frustrating aspects of IoT in general. Don't get me wrong, it has all sorts of benefits to be certain. The problem is found in the fact that security is often overlooked in the race to get consumer products into the hands of customers as fast as possible. The great IoT gold rush is on. We collectively need to ensure that security is integrated into the SDLC of all IoT devices so that we do not find ourselves in the crosshairs of a horde of savage barbarian...toasters. Um, yeah.
The third quarter State of the Internet / Security Report, which is set to be released on November 15, will tackle these stories and others that popped up in this recent quarter of 2016. While there is a level of jocularity at play here we need to be cognizant of the fact that security cannot be given mere lip service. We saw the damage that can be caused this past October 23rd when Mirai and other platforms attacked.
Until we can get a better grasp on the security of IoT devices, we need to ensure that our websites are well protected. This is especially true when you consider that Black Friday is just weeks away.