The Mirai botnet: Criminals are turning the ‘internet of things’ against us
Where were you on October 21? If you can remember, make a note in your diary, because it’s one of those dates your kids will ask about in the future. The date will go down in history as the day that Netflix was taken offline by a bunch of “smart” webcams that rose up and turned on their human masters.
And not just Netflix: Reddit, Spotify, PayPal, the PlayStation Network, Pinterest, Github and Twitter were also targeted. What did you do that fateful Friday without your 140 characters or less, mummy?
It may sound flippant, especially while the universities resound to the ring of rubber bullets and the finance minister is being threatened with handcuffs, but the ramifications of that massive internet outage will — hopefully — shape much of the way that all future technology is developed.
In its own way, this event could change the world.
All those sites and many others were caught up in a huge, targeted online attack carried out by an unknown criminal entity that called upon the computing power of tens of thousands of devices to cripple a big chunk of the internet.
How it happened, and why it will almost certainly happen again, is a lesson that should be taught in the primary schools of the future as a warning against the hubris of technologists and the foolishness of not changing the default password.
Dishing the DDoS
Friday’s events were fairly straightforward. The specific type of attack used is known as a “Distributed Denial of Service” (DDoS) attack, which are incredibly common and have been around for years.
A DDoS attack is simple and brutal: it’s an attempt to overwhelm an internet-facing server with nonsense traffic. If a server is set up to deal with so many thousands of requests over the internet per minute and is suddenly trying to respond to millions or tens of millions, it may freeze up in the same way that any desktop machine will if faced with more tasks than it can cope with.
To initiate a DDoS attack, the criminal usually draws on the power of a “botnet”. This is a lot of internet-connected computers which have been infected by a virus or other forms of malware, which allows a third party other than — and without the knowledge of — their owners to issue commands.
George Conard of Jigsaw, a sister company to Google, is the product manager for Project Shield. This is a free service offered to news publishers to help them keep their sites online during DDoS attacks, increasingly deployed as tools of censorship. One of the first sites protected by Project Shield was the Kenyan Independent Electoral and Boundary Commission, repeatedly disrupted by DDoS attacks during elections.
Among the 200 or so other sites covered by Project Shield is Africa Uncensored, another Kenyan site repeatedly targeted for takedowns.
Conard says that the tools to launch a DDoS from a botnet are sold openly on the regular web, for a few dollars per thousand machines. Yet despite the exceptionally common nature and relative simplicity of DDoS attacks, they’re still little heard of or understood outside the tech community.
Beware the internet of things
The attack on Netflix et al was a DDoS attack, but instead of attacking individual websites or services, it was launched against servers belonging to a company called Dyn. Dyn is one of those firms you’ve never heard of that the internet can’t live without: it’s technology and servers are responsible for turning names like mg.co.za into machine readable internet addresses like 18.104.22.168. It also provides infrastructure for speeding up sites and traffic for bandwidth-heavy clients.
Martin Walshaw of F5 Networks says that attacks on the internet’s infrastructure are increasingly common. “By doing this, hackers are able to disrupt a wider range of organisations that use the provider’s services.”
In a blog on the attack, Dyn’s chief strategy officer Kyle York said that while the company “practice[s] and prepare[s] for scenarios like these on a regular basis”, there were three separate waves of traffic that hit different parts of its infrastructure (the third was successfully repelled). He said the firm identified “tens of millions of discrete IP addresses” involved in the attack.
Dyn has determined that around 100 000 individual devices were involved, with traffic at the peak of the attack in the region of 1.2 terabits (1.2 trillion binary digits) per second (ie. the entire capacity of the Seacom cable system that connects Africa to Europe and the Middle East).
What’s particularly terrifying is it’s the third such attack in as many weeks — that we know about. Just a month before, on September 21, the website of security researcher and journalist Brian Krebs was hit with an attack that peaked at 665 gigabits per second of traffic (about half of the total current capacity of the Seacom cable). Krebs, who investigates profit-seeking cybercriminals, was reportedly targeted for a story he wrote.
A few days later a hosting company in the US reported a DDoS that peaked at almost double that — more than a terabit of data per second.
What makes all three of these attacks novel is that the botnets called into action weren’t made up of compromised laptops, desktops and web servers. Instead they were made up, at least in part, of hundreds of thousands of connected CCTV cameras, domestic routers, digital video recorders and other devices which make up the “internet of things”.
For many years now technologists have eulogised about the internet of things: SAP, an enterprise sofware company which develops IoT solutions, reckons that by the end of 2020 there’ll be 212 billion devices with internet connections to allow remote control and monitoring, a market worth €250-billion. Sensors, servers, traffic lights, webcams, drones: all talking to each other with minimal human interference, and there’s serious money to be made from them.
The problem is that a lot of the internet of things devices sold today aren’t very secure. They ship with default username and password combinations like “admin: admin”, which many users never change.
The best known of these botnets is powered by a malware called Mirai. It’s the software that created and controls the botnet that attacked Krebs, and was detected in the Dyn attack too. Mirai infects a host device and then replicates itself by searching the internet for other vulnerable devices. Then, by testing passwords against common usernames, it installs itself on that device and carries on the hunt.
After Mirai was used against Krebs, the author released the source code onto the internet. Anyone can download, modify and launch a Mirai clone into the wild just by grabbing it from developer library Github.
Analysing the code, Krebs came to the conclusion that Mirai was able to infect millions of devices using fewer than 70 username and password combinations. The good news is that Mirai doesn’t alter the storage of the device it infects — turning a camera on and off again is enough to “clean” it. The bad news is that even if owners change their passwords, some devices potentially remain vulnerable because they have a hidden “root” user that can’t be altered but can be reached remotely.
Several brands have been named as being vulnerable to Mirai, and one — Hangzhou Xiongmai — has issued a recall of cameras already. But really any IoT device that isn’t properly secured is just as much at risk of being co-opted into a botnet.
What about South Africa?
The relatively good news is that security firm Imperva has released a map of devices it knows for sure have been infected by Mirai and only 28 appear in South Africa (as opposed to hundreds of thousands in the US). Don’t take too much comfort from that, though. When my colleagues at technology website htxt.africa contacted local resellers of the branded cameras Krebs called out, none seemed aware of the attack, let alone had a plan to secure their wares in the future.
John Eigelaar of Keystone Electronic Solutions, a Centurion-based engineering firm that designs security systems for data centres and offices, says that he’s not surprised at the use of webcams and the low level of awareness. For professional installations, he recommends customers don’t connect cameras to the internet but set up a closed network for monitoring. If they must use the open internet, they should do so via an encrypted virtual private network (VPN).
Domestic or small business customers picking up a web-connected camera, printer or baby monitor from their favourite tech retail store may not have the awareness or know-how to do that. Furthermore, there’s almost no way of telling whether or not a device in your home has been compromised, although security company Bullguard has released an IoT Scanner which will search your network for vulnerable bits of kit. At the very least, if you do have connected hardware at home — be it a camera or a fridge or a modem — change any default passwords you’re still using today and reboot it.
Newer IoT devices should ship with unique passwords stuck to the bottom on a label, rather like the original network password for your WiFi router was (it’s worth pointing out here the user password is not the same as the network password — many routers are very insecure when it comes to the former). But there’s a lot of stuff out there either installed or languishing on retail shelves that’s as highly armoured as a Marie biscuit.
SAP’s senior vice-president and head of IoT strategy Dr Hans Jörg Stitz says that he doesn’t think the current spate of IoT-powered botnets will slow down the industry adoption of the technology, but he does think it’s something everyone involved needs to address in future work.
So what’s to be done with all those potentially infected or at risk devices already in the open? Over to Brian Krebs for the last word:
“In my humble opinion, this global cleanup effort should be funded mainly by the companies that are dumping these cheap, poorly-secured hardware devices onto the market in an apparent bid to own the market. Well, they should be made to own the cleanup efforts as well.”