A couple of weeks ago we saw the largest Distributed Denial of Service (DDoS) attack in history. The attack surpassed 660 Gbps of traffic, crippling the website of well known cybersecurity journalist Brian Krebs, who has a long history of exposing DDoS attackers. However, there was something new about this particular attack that stands it apart from anything we’ve seen before - the hackers used a network of millions of connected IoT devices, and they’ve just released the malware online for anyone to use.
There have been concerns surrounding the security of connected IoT devices for some time now and the increasingly widespread use of the technology, forecast to reach 50 billion units worldwide by 2020, has created somewhat of a powder keg. The keg blew up when the hackers used two networks (or botnets) of around 980,000 and 500,000 devices, mostly IoT ready cameras, to connect to Krebs’ website, repeatedly hitting the site with requests and forcing it offline.
The story took another twist at the weekend as the malware used for this DDoS attack was posted online on Hackforum, an online community for criminal hackers by a user called “Anna-senpai”. “Mirai”, as it is dubbed, is designed to infect IoT devices that haven’t changed their default usernames and passwords - a surprisingly common occurrence in the poor security used by IoT products like webcams, smart refrigerators, and other connected home appliances. After the devices have been infected, the ‘zombies’ can be controlled from a central server and used to carry out DDoS attacks.
The move to dump the malware online for free access may sound like an unusual one at first. After all, these botnets can be a big source of income for criminal hackers all over the world as they are often hired out to 3rd parties to carry out attacks. However, Krebs himself believes it to be an attempt by the hackers to cover their tracks; “Publishing the code online for all to see and download ensures that the code’s original authors aren’t the only ones found possessing it if and when the authorities come knocking with search warrants” he writes.
Although this attack has subsided and Brian Krebs can now get back to his work, there is certainly a worry that this DDoS attack has set a precedent for the future. With the adoption of IoT devices set to skyrocket in the coming years, such a fatal flaw as has been demonstrated here means that the industry has a long way to go in matching security to the technological advances.