“Still, the worst thing about Mirai is that it leverages the horrible security decisions made by a handful of manufacturers of Internet-connected devices.”
This sentence is really an understatement by the author Sean Gallagher in an article published on Arstechnica. It speaks to the global problem in attitude manufacturers have toward security and making secure products. Now a days one would think everyone would have the realization that if something connects to the internet, it is now open game for attack. That’s the world we live in. Let me be really clear—if a device connects to the internet, or is internet aware, it is open for attack. The Mirai IoT botnet attack that occurred last week did nothing more than put a period on that sentence.
Recall the Mirai attack managed to control millions, yes millions, of devices that connect to the internet. Now to be fair, traditional thinking probably permitted that.
Traditional thinking goes like this, “This is just a DVR or security camera, or a Samsung refrigerator, or a Roomba vacuum cleaner, or a Ring doorbell with video. These are just dumb devices. They won’t be hacked.” And remember, new vehicles are internet aware by Wi-Fi and satellite. And yes, this has happened already with a Jeep.
Give me a break people. Yes, I’d like to agree with traditional thinking. But that isn’t our reality anymore. The internet is the Wild West. Even if it was regulated, it will still be the Wild West. Technology in networking internet devices is easily hidden from scrutiny. Hackers know this. So do nation-state cyber organizations. So does organized crime. It wouldn’t surprise me if the Mirai attack was really an intentional framework deployed by a nation-state organization. What I’m saying is this. What if a country colluded with a manufacturer to build millions of their devices with some sort of back door that would permit them to remotely login to them, take control, and stage an attack from them. Is it possible Mirai happened by accident and we really saw a nation-state tip their hand to a forward deployed attack vector to use against other countries? It makes you wonder; and yes I’m aware that sounds like a huge conspiracy theory.
At the end of the day manufacturers need to get a clue and create devices that are secure from the get go. They could randomly print default login information to a device and put that slip of paper in the box. I’ve seen this happen by responsible manufacturers. Then the device forces a change of those default logins the first time a user sets it up. Will that be infallible? No, but it’s a step in the right direction. A step that would cost the manufacture less money in terms of reputation than it would if they spent those dollars up front.
Security needs to be the first thought in new product development. Not an afterthought right before it goes to market.
*** This is a Security Bloggers Network syndicated blog from Security Friction authored by Jeff Evenson. Read the original post at: http://www.securityfriction.com/2016/10/26/no-duh-internet-connected-devices-prone-to-attack/