A Washington, D.C. think tank whose mission is critical infrastructure security has joined the call for lawmakers to consider regulating the security of connected devices.
In a report published this week, the Institute for Critical Infrastructure Technology pinned the blame for a rash of Mirai malware-inspired IOT botnet DDoS attacks on manufacturer negligence. The report points out the lack of security by design in devices such as DVRs and IP-enabled closed circuit TV cameras that are protected by weak or known default credentials as the root cause for the emergence of these attacks. Further, they caution that the availability of the Mirai source code has brought these large-scale attacks within reach of script kiddies, criminals and nation-states alike.
Regulation, echoing what Bruce Schneier said during a recent House briefing, is the most appropriate choice, the report’s authors James Scott and Drew Spaniel said, even at the risk of stifling innovation.
“For the sake of lasting impact instead of a market shift that avoids the regulations, national regulation seems most appropriate. State level regulation could prove asymmetric or disastrous to markets and consumers alike,” the report says. “Regulation on IoT devices by the United States will influence global trends and economies in the IoT space, because every stakeholder operates in the United States, works directly with United States manufacturers, or relies on the United States economy.”
Mirai is malware that probes and recruits IOT devices into botnets, by trying to access them using a hardcoded list of weak credentials and then infecting them with code that forces the device to join a DDoS botnet. The danger, the report points out, is that Mirai is an easy-to-use development platform that simplifies the customization of these attacks.
“The brunt of the vulnerabilities on the Internet and in Internet-of-Things devices, rest with DNS, ISPs, and IoT device manufacturers who negligently avoid incorporating security-by-design into their systems because they have not yet been economically incentivized and they instead choose to pass the risk and the impact onto unsuspecting end-users,” the report says. “As a result, IoT botnets continue to grow and evolve.”
The report was released under the backdrop of another Mirai attack, this one targeting home routers provided by U.K. telecommunications company TalkTalk. A report released by Imperva Incapsula describes an investigation that began shortly after last week’s attacks that impacted 900,000 Deutsche Telekom DSL routers in Germany. Starting on Monday,Imperva Incapsula detected a run of unusually large requests hitting its sensors, peaking at 8,600 per second before leveling off at 1,000. The attacks were coming from devices almost exclusively located in the U.K., 2,398 IP addresses in all.
“This kind of IP distribution is uncommon for DDoS botnets. Typically it indicates a vulnerability in a device supplied by local retailers, which allows for such a regional botnet to appear,”Imperva Incapsula said in its report. “In this case, a quick scan revealed a horde of malware-infected home routers, over 99 percent of which belonged to the TalkTalk Telecom network. So we had our device and our distributor.”
Imperva Incapsula could not say for certain that the same Mirai variant that had taken down the DT routers was also responsible here. But there may be enough circumstantial evidence to arrive at that conclusion. For instance, none of the compromised routers,Imperva Incapsula said, were found to have port 7547 exposed as those involved in the DT attacks did. However, researchers learned through a Shodan search that the ports were open until a few days prior to the attack beginning. One trait of the Mirai variant was that the attack DT was that it closed port 7547 after infecting the targeted device in order to throw analysts off track.
“This was a sign of the same Mirai variant nesting itself in the device and then shutting the door behind itself,”Imperva Incapsula said.
TalkTalk, meanwhile, has patched the vulnerability and reset its routers.