Modern field guide to security and privacy
Malware-infected devices took down the internet.
Mike Segar | Caption

What you need to know about the botnet that broke the internet

Why security experts are worried about Mirai – the software attackers use to create malicious networks out of ordinary connected devices – and how you can protect yourself. 

A wave of cyberattacks against a core internet service provider last week caused disruptions at major websites and marked the third time in the past month that criminals used a network of malware-infected devices to cause havoc.

The botnet known as Mirai has garnered considerable attention from the security community because it is the first comprised entirely of ordinary internet-connected home products such as your digital video recorder and web cameras. 

Many experts see it as a harbinger of a new trend where malicious hackers could take advantage of security weaknesses in these so-called Internet of Things (IoT) devices to quickly build vast networks of zombie home machines – or botnets – for launching different kinds of attacks.

In last week's attack, for instance, hackers used the Mirai botnet to direct huge volumes of useless traffic at the internet performance firm Dyn. The distributed denial of service, or DDoS, attack caused critical systems to become overloaded – and created big problems for Netflix, Spotify, Amazon, Paypal and numerous others Dyn customers.

"Last week's unprecedented DDoS attacks are only a preview of what is yet to come," warns Jeremiah Grossman, chief of security strategy at SentinelOne. With more than 20 billion "things" that will be connected to the Internet by 2020, the volume of devices that can be used in these attacks will be staggering, Mr. Grossman says. "Left unprotected, they have the potential to take down significant parts of the Internet."

Here's what you need to know about botnets such as Mirai and why they are the source of such concern:

What, exactly, is Mirai?

Mirai is software that attackers use to build malicious networks from vulnerable IoT products. People can use it to constantly scan the internet for routers, DVRs, and other internet-connected products that are protected only by the generic usernames and passwords the products shipped with from the manufacturer. The software infects vulnerable systems and turns them into remotely controllable "bots" or machines that can be commandeered at will to do an attacker’s bidding.

A malware-infected fridge or webcam, for instance, could also give attackers a way to break into other devices in your home network like your PC.

How long has Mirai been around?

Mirai first surfaced in the days following a DDoS attack on the website of security blogger Brian Krebs in late September. The attack generated more than 600 gigabits of traffic per second, which was larger by several magnitudes than anything ever seen on the Internet till that point.

It was the first known instance where someone had used an IoT botnet to launch an attack of this scale. Mr. Krebs says that an analysis of the attack shows that tens of thousands of compromised home routers, DVRs, and IP cameras were used to launch the attack against his site. The attack on Krebs was quickly followed by an even larger 1 terabit per second attack on a French Internet Service Provider.

Shortly after the attacks, a cybercriminal using the handle "Anna-senpai" publicly released the code that was used to build the botnet. As Mr. Krebs noted at the time, the move virtually guarantees "that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices."

Is Mirai the only IoT botnet threat?

Hardly. Mirai is one of at least two known malware families that are being used to assemble IoT based botnets, Mr. Krebs says. The other is called "Bashlight" and functions very much like Mirai. More than 1 million IoT devices are already believed infected with Bashlight, which means that those systems can be used any time to launch attacks like the ones on Dyn and Krebs. 

Both of these are just early examples of software designed to take advantage of vulnerable IoT products. Attackers can build similar tools to take advantage of them in myriad other ways.  

What makes the IoT threat so scary?

At least for the moment, IoT botnets are a lot easier to assemble than botnets compromised of malware-infected personal computers.  

Typically, criminals looking to build a botnet have to find a way to infect tens of thousands of PCs with malware. In order to do this, they first have to send spam emails or phishing emails with malicious attachments, find a way to get past antivirus and antimalware tools and hope that enough recipients click on the attachments so their systems are infected.

In contrast, IoT devices are far easier to break into. And criminals can build much bigger botnets simply because of the larger number of devices that are available to exploit.

A vast majority of ordinary home products connected to the Internet are protected only with stock passwords. Security firm ESET along with the National Cyber Security Alliance recently surveyed about 1,530 US consumers on their use of IoT products.

Nearly 80 percent had seven or more devices connected to their home router but only 30 percent had changed the password from the factory default before connecting it to the Internet. Another 20 percent couldn’t remember of they had.

To find vulnerable IoT devices, all an attacker needs to do is use an internet scanning tool, like Shodan, to search for specific IoT products and see which ones of them use a default username and password, says Justin Harvey, security consultant to internet traffic monitoring firm Gigamon.

"What makes them even more dangerous, is that many use a protocol to 'announce' themselves to their home network," Mr. Harvey says. The products then request the home router – often without your knowledge – to open up a door in the router so the device is accessible from the web.

What are manufacturers doing?

Not much, unfortunately, at least so far. Hardware makers rushing to get products out the door have paid far less attention to ensuring their technologies can’t be misused than software makers. Few products for example are designed for easy patching or security updates against a known security issue.

Many consumers are already uneasy with the trend. More than 40 percent of Americans in the ESET survey said they were not confident that their IoT devices were safe. More than half said they were discouraged from buying such systems because of cybersecurity concerns

"Mirai must become the wake up call for the hardware industry," says Michael Sutton, chief information security officer at ZScaler. "Hardware vendors simply haven't been forced to climb the security learning curve the way that software vendors were forced to. That's about to change."

What can consumers do? 

Simply changing the default username and password on the devices you connect to the Internet can go a long way in reducing exposure. Figuring out how to do it, though, can be a little trickier than changing the password on your bank accounts or social media accounts, admits Stephen Cobb, senior security researcher at ESET.

"In some cases, firmware needs to be updated, which can be a very different process from a software update," Mr. Cobb says. "Often you have to go looking for router and home device updates – they are not routinely pushed to you the way that Microsoft and Apple push Windows or Mac OS updates."

You can also use this IoT Scanner from security vendor BullGuard to quickly check if the connected devices in your home are publicly exposed on Shodan.

What can policymakers do? 

The Mirai attacks have stirred talk about the need for regulations that would hold IoT device makers more accountable for securing their products. The attacks this week prompted Sen. Mark Warner (D) of Virginia to send a detailed questionnaire to the chairman of the Federal Communication Commission, Tom Wheeler seeking information on the tools that are available and need to be developed for protecting consumer IoT devices from mass compromise. Among the questions is one that inquires about the feasibility of ISPs simply denying network access to insecure and improperly secured IoT products.