Mirai's Role in DDoS Attack Casts Shadow on IoT

Mirai’s Role in DDoS Attack Casts Shadow on IoT

Today's distributed denial-of-service attack on Dyn servers that brought down popular websites was powered in part by Internet of Things devices infected by Mirai malware.

Written by Tom Kaneshige
22nd October 2016

In Japanese, the name “Mirai” means “the future.” It’s also the name of a malware that has infected some half-million Internet of Things devices, potentially turning them into a massive botnet. Today, the future smashed into the Internet.

Dave Allen, general counsel at Dyn, a domain name system company, told the New York Times that Mirai played a role in today’s distributed denial-of-service attack on Dyn. Traffic coming from tens of millions of IP addresses, including IoT devices such as surveillance cameras and home routers, flooded Dyn servers and brought down popular websites.

Netflix, Twitter, Spotify, Airbnb, Github, among others, suffered outages at various times of the day.

Today’s troubles, however, were foreshadowed earlier this month when a hacker published the Mirai source code. Security researches say the malicious code isn’t particularly sophisticated but doesn’t have to be, given weak default logins and passwords of simple IoT devices. Last week, Level 3, an internet service provider, reported 493,000 devices had been infected with Mirai malware.

“All the code needed was 61 different combinations of username and passwords to create this giant botnet,” Chase Cunningham, PhD, a former U.S. Navy chief cryptologic technician who supported U.S. Special Forces and Navy Seals in Iraq, told Internet of Things Institute earlier this month. “It just takes seconds to grab a device and use it for botnet or DDoS.”

Cunningham ran a query with some code looking for devices that identify themselves as “IoT.” He says he found 3,551 devices just “sitting for somebody waiting to tell them what to do.”

Apparently, someone told them what to do today. Speaking on a livestream, Dale Drew, chief security officer at Level 3, says he found evidence that roughly 10 percent of all devices infected by Mirai were being used to attack Dyn’s servers.

Even worse, Mirai portends a darker future. If Cisco’s prediction comes to pass — a world where 50 billion things will be connected to the Internet by the year 2020 — and hackers can seize control so that many devices mindlessly do their bidding, then we’ll be living in a new kind of zombie apocalypse.

“I have this running joke that I tell people: It is like being in a zombie marathon,” Cunningham says.

A distributed denial-of-service attack is only one action a hacker of IoT devices can take. Cunningham worries about power grids and other critical infrastructure being compromised. If a water treatment plant is using an automated IoT-enabled chemical induction system, he says, someone may be able to hack into it and dump chlorine and other chemicals into the water to sicken citizens.

“Unfortunately, pain is the greatest teacher there is,” Cunningham says. “Until we really feel some sort of physical or financial or societal pain from this IoT security issue, it is not going to be anything other than a line item on a budget.”

Additional reporting by Brian Buntz.