The Mirai botnet was used to carry out a DDoS attack in late October against one of the Internet’s domain name service (DNS) providers, Dyn, resulting in an Internet disruption for many.  It wasn’t the first time this botnet, comprised of Internet of Things (IoT) devices, was used in a DDoS attack.  Other earlier uses of the Mirai botnet were similarly successful in late September 2016.

In its analysis of these earlier Mirai botnet attacks, website security and DDoS protection vendor Incapsula Imperva* indicated in its blog that “Mirai-infected devices were spotted in 164 countries.”  The blog posting indicates that they geo-located the nearly 50,000 unique IP addresses that hosted Mirai-infected devices, displaying them on a world map for readers.

These Mirai botnet attacks are striking (no pun intended) for three reasons.

1. The Internet-side of so many consumer and commercial networks – not just in specific locations, but around the world - is not adequately protected from Internet threats.
2. The botnet of compromised systems isn’t composed of PCs as in the past. Instead the bots or “things” spraying DDoS traffic included tens of thousands of digital video recorders (DVRs) and surveillance cameras – part of the Internet of Things (IoT).
3. The exploited weaknesses through which the Mirai botnet has become so successful are at once so elementary and so avoidable.  For starters, the devices are often accessible over the Internet via the insecure Telnet protocol. Once connected, Mirai uses a collection of known default passwords to gain access to victim devices.

While few are in a position to solve the problem of the many consumers worldwide with insecure Internet-facing network connections, ICSA Labs can help with the other two problems identified above.  In May 2016 ICSA Labs began security-focused certification testing of Internet of Things devices and sensors, including cameras and DVRs.  In fact, the first product to attain ICSA Labs IoT Security Certification is a Canary security camera.

To evaluate IoT devices and sensors, we published an IoT Security Testing Framework that is comprised of a wide array of testing requirements mapping to six-categories – including “authentication” and “communication” – the areas of weakness through which the Mirai botnet gained access to tens of thousands of IoT devices worldwide.

Had those IoT device makers registered for ICSA Labs IoT security certification and made the fixes we would have recommended, the recent attacks affecting Dyn, Brian Krebs and others could have been avoided as our testing uncovers these kinds of vulnerabilities among other things.

* Incapsula Imperva is owned by Imperva.  Imperva’s web application firewall (WAF) is tested and certified by ICSA Labs.