When the botnet named Mirai first appeared in September, it announced its existence with dramatic flair. After flooding a prominent security journalist's website with traffic from zombie Internet of Things devices, it managed to make much of the internet unavailable for millions of people by overwhelming Dyn, a company that provides a significant portion of the US internet's backbone. Since then, the number attacks have only increased. What's increasingly clear is that Mirai is a powerfully disruptive force. What's increasingly not? How to stop it.
Mirai is a type of malware that automatically finds Internet of Things devices to infect and conscripts them into a botnet---a group of computing devices that can be centrally controlled. From there this IoT army can be used to mount distributed denial of service (DDoS) attacks in which a firehose of junk traffic floods a target's servers with malicious traffic. In just the past few weeks, Mirai disrupted internet service for more than 900,000 Deutsche Telekom customers in Germany, and infected almost 2,400 TalkTalk routers in the UK. This week, researchers published evidence that 80 models of Sony cameras are vulnerable to a Mirai takeover.
These attacks have been enabled both by the massive army of modems and webcams under Mirai's control, and the fact that a hacker known as "Anna-senpai" elected to open-source its code in September. While there's nothing particularly novel about Mirai's software, it has proven itself to be remarkably flexible and adaptable. As a result, hackers can develop different strains of Mirai that can take over new vulnerable IoT devices and increase the population (and compute power) Mirai botnets can draw on.
“It’s accelerating because there’s a wide-open, unprotected landscape that people can go to," says Chris Carlson, vice president of product management at Qualys. "It’s a gold rush to capture these devices for botnets."
The rise of Internet of Things malware is reminiscent of the viruses, worms, and intense email spam that plagued early internet users. Most PCs weren't adequately secured, and companies racing to join the dot-com bubble didn't necessarily understand the importance of internet security. The same is true now, but with webcams and routers instead of desktops.
What's distinctly different in this tech generation, though, is how users interact with infected devices. An infected PC often malfunctions, slows down, or notifies users (either through operating system security alerts or through the malware itself in the case of something like ransomware). All of this encourages people to act. It's standard practice to install some sort of security software on enterprise PCs, and anti-virus measures are popular at home as well.
IoT devices like routers, though, are workhorses that are meant to function indefinitely, with minimal direct user interaction. One reason Mirai is so difficult to contain is that it lurks on devices, and generally doesn't noticeably affect their performance. There's no reason the average user would ever think that their webcam---or more likely, a small business's---is potentially part of an active botnet. And even if it were, there's not much they could do about it, having no direct way to interface with the infected product.
“The early 2000s web security called and they want their lack of security back,” says Rick Holland, vice president of strategy at the cybersecurity defense firm Digital Shadows. "It’s not like this population of total vulnerable devices is going to be going down. It’s going to be increasing."
Mirai isn't the only IoT botnet out there. The broader insecurity issues of IoT devices are not easy to address, and leave billions of units vulnerable to all sorts of malware.
But Mirai is the main go-to for now because it's easily accessible and adjustable, with different strains for different campaigns. Holland says that Digital Shadows researchers have observed a growing community of Mirai users asking for help (even bad actors need tech support sometimes!) and offering each other tips and advice.
There are some precautions consumers can take to improve their personal IoT security. By assessing the IoT devices they have in their homes and eliminating superfluous "smart" products that directly access the internet for no reason, people can reduce their exposure to attack. Additionally, for devices that offer accessible interfaces, you can change default passwords and download firmware updates to get greater protection.
Mirai will ultimately be a "transient threat" in the broader landscape of IoT security, as a report published this week by the Institute of Critical Infrastructure Technology notes. Hackers get bored with shiny new toys just like anyone, and eventually the IoT industry will erode Mirai's vulnerable device population.
That's not going to happen in the near future, though. Mirai already has enough fodder to sustain it for years---and more susceptible products roll off of assembly lines every day. As the report adds, Mirai "has inspired a renaissance" in IoT vulnerability exploitation. In the meantime, expect more mayhem.
"Who knows what’s going to actually come up before the end of the year," Digital Shadows' Holland says. "Mirai is certainly not going away any time soon."
