By: Susan Morrow, March 14, 2017 (07:35 AM)

Is the Mirai Bot a Sign of The Times or Things to Come?

Mirai Botnet

On 21, October 2016, arguably the most significant Internet cyber attack in history occurred. Big sites like Twitter and Netflix suddenly weren’t working. Dyn, who handle DNS routing for some of the world’s best-known Internet companies, had been attacked by a Distributed Denial of Service (DDoS); this attack effectively crashed large parts of the Internet.

We all love the Internet and this passion for all things connected is not just about our desktop computer anymore, it’s now about gadgets. Internet-connected gadgets, otherwise known as the Internet of Things (IoT) is such a major movement that analysts IHS are predicting there will be 75.4 billion IoT devices globally by 2025; that’s 10 devices for every person on the planet today. This is a tidal wave, an onslaught, a tsunami of Internet-connected devices that are integral to our everyday lives and enhance our working environments. The Internet is now truly ubiquitous.

It seems natural for the IoT to have come about. Human beings have always strived for better technology to make our lives easier. But this foray into connecting up all of our dots across the planet has its dark side too. The fact is, technology vendors, across almost any area you can think of, have scrambled to join the IoT revolution. In rushing out IoT devices, some design flaws have crept in, and one such issue is the security of the device itself. The October DDoS attack on Dyn was not just significant in its impact, but also in its origin — the IoT.

The Internet of Insecure Things and How Mirai Came to Pass

A DDoS attack uses large numbers of malware-infected computers (known as ‘bots’) to inundate a website with spoof traffic until the site can no longer operate. Usually, the bots are infected laptops and desktops. The Dyn DDoS attack was different because instead of originating from a standard PC, this time the DDoS malware infected devices that were part of the Internet of Things. The malicious software used to create an Internet of Bots or a ‘botnet’ was called Mirai.

Mirai is a type of malware which once installed on a computer, or in this case an IoT device, can take over that device, forcing it to perform certain actions, like ping a Dyn DNS server. When analyzed by Incapsula, the Mirai malware was found on almost 50,000 global devices. Since then, estimates for infected IoT devices have been as high as 100,000+ . These devices were traced to mainly Internet-connected CCTV cameras, but also DVR’s and routers.

Cameras seem to be the main offending device in this scenario, and this is borne out in a report by Protection1, which found that hundreds of public Internet-connected cameras were unsecured, 27% of them broadcasting from places where transactions took place. In the case of the Mirai malware, the software ran a continuous scan of Internet connected devices, looking for factory-set passwords as many IoT devices have default passwords set during manufacture. Pre-defined passwords allows manufacturers to more easily update the firmware. The problem is, these default passwords are often easily brute-forced. Once Mirai located a vulnerable device, it could brute-force an infection.

Cybercriminals have turned their beady eyes to the IoT because it makes the perfect distributed attack surface — we could not have designed a better framework for a DDoS attack tool. The fact that this attack surface comes with preconfigured poor security is just a bonus.

The main criticism of IoT security has also been the simplest — poor password policy. The IoT devices that were hijacked for the Mirai Dyn attack, were used because they had failed security 101 and used easily guessable passwords.

Is the IoT a Gift for Cybercriminals?

The increasingly ubiquitous nature of the IoT is creating a platform for distributed cyber attacks. One of the more worrying aspects of cyber security as a whole, is the advent of easier hacking in the form of ‘cybercrime-as-a-service’. Malware, like Mirai, is now available to rent. A kid in their basement could feasibly rent out a botnet service and take down a website.

Mirai-like DDoS attacks against our favorite internet sites are a worry, but much worse is the threat to our critical infrastructures. Industry usage of IoT-based control units, like supervisory control and data acquisition (SCADA), is expected to be worth around $33 billion by 2020 . And healthcare is embracing the IoT, with estimates of 650 million IoT devices being used in healthcare by 2020 . If DDoS attacks are focused on critical infrastructures, the end results will be much worse than not being able to Tweet.

Tips to Stop You Being a Victim of Mirai – IoT Device Security

Some tips to help prevent your IoT device being infected by Mirai or similar malware include:

  • Research your purchase, check to see if the device has known issues
  • If allowed change the default password on your device
  • If allowed make sure you patch the device firmware (this isn’t always easy to do or even possible)

Final Thought

There is a view, shared by myself, that the Mirai DDoS attack of last year was just cybercriminals playing with us. They used the Dyn DNS servers as their playground, testing out the technology and seeing how far they could go. Their next major attack may well be against our energy sector or a major hospital. IoT devices have been pushed out into a marketplace without due diligence around security design. Before we go any further, steps need to be taken by manufacturers to, at the very least, use robust password policies. Groups like OWASP and GSMA offer advisories and frameworks for manufacturers to apply best practice security to their devices. Manufacturers will hopefully listen to this advice.


Map of Mirai global infections
Mirai vulnerability scanner

Be Informed. Stay One Step Ahead.

Sign up for our newsletter and stay up to date with the latest industry news, trends, and technologies