Chinese-made DVR and IP cameras may have been easily infected with malware, then enslaved in a botnet to take down a good chunk of the internet.
A Mirai botnet was behind a massive Internet outage that took down Twitter, Reddit, The New York Times, PayPal and other major websites, according to security firm Flashpoint.
The Mirai malware targets Internet of Things (IoT) devices such as routers, digital video recorders, and webcams/security cameras. These devices are then enslaved into a botnet to launch distributed denial of service (DDoS) attacks.
In the case of last week’s Internet outage, the botnet launched DDoS attacks against the Dyn DNS from tens of millions of IP addresses.
Experts fear that more large and vicious botnet attacks are on the way due to the tens of millions of IoT devices with compromised security, and the publication online of the open-source code for the Mirai malware.
Flashpoint said that that some of the devices used in the Dyn DNS attacks are DVRs, and said it was coordinating with multiple vendors and law enforcement to identify the infected devices used in the botnet.
Brian Krebs, a popular security blogger whose site was attacked by a botnet in September, went a step further and noted that the hacked IoT devices mainly included DVRs and IP cameras made by Chinese hi-tech company XiongMai Technologies.
Update — 10.24 at 12:14 p.m: XiongMai has announced a recall of some of its devices, has indicated that most of the problem occurs with users not changing default passwords, and has threatened legal action against publications that blame its technology.
What can be done?
“With a rapidly increasing market for [IoT] devices and little attention being paid to security, the threat from these botnets is growing,” Level 3 Communications reported in September.
“The devices are often operated with the default passwords, which are simple for bot herders to guess,” Level 3 stated. “From the source code it has been found that Mirai’s scanning protocol utilizes a list of generic and device-specific credentials to gain access to susceptible devices.”
Level 3 said IoT manufacturers should disable unused services, such as telnet, and require users to set passwords after installation. “Consumers can improve their security as well by changing default passwords and following security best practices,” the firm stated.
Krebs, however, said on his blog that many of the mass-produced IoT devices are “essentially unfixable” and “will remain a danger to others unless and until they are completely unplugged from the Internet.”