Fancy running your own botnet, hijacking control of Internet of Things (IoT) devices such as internet-enabled CCTV cameras and routers to bombard websites with distributed denial-of-service attacks?
Well, it’s just been made that little bit easier for you, with the release of the source code of Mirai, a family of malware capable of rapidly recruiting an army of poorly-protected devices and then commanding to launch attacks.
Security blogger Brian Krebs reports:
The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.
Vulnerable devices are then seeded with malicious software that turns them into “bots,” forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline.
Just such an attack knocked Krebs’ website offline at the end of last month with what is thought to have been one of the largest DDoS attacks ever seen, after he exposed information about the inner-workings of vDOS, a DDoS-for-hire service.
Millions of new IoT devices are being plugged into the net every day, and many of them will have weak security just waiting to be exploited by online criminals. The flaws can range from shipping with default passwords that users never bother to change, to weak or non-existent encryption, to no infrastructure for updating devices if a vulnerability is found at a later date.
As I explain in the video below, an internet of things which doesn’t treat security and privacy as a priority puts all of us at risk.