Mirai (未来) is a Japanese word that means future. The name was given to the malware by Anna-senpai, a member of the hacking community Hackforums. “When I first go in DDoS industry, I wasn’t planning on staying in it long,” begins Anna-senpai (Senpai is an honorific suffix in Japanese that is used to refer to superiors and seniors) the now notorious forum post in which the author of the malware publicly released its source code. In the post, Anna-senpai then proceeds to give detailed instructions how to use the botnet, adjust its various configuration options, set up cross-compilers, among other things.
Since the public release of the source code, there have been a number of new Mirai variants involved in several large-scale IoT attacks. Rick Holland, vice president of strategy at the cyber security defense firm Digital Shadows, says that “Digital Shadows researchers have observed a growing community of Mirai users asking for help and offering each other tips and advice.”
The thing that makes Mirai so effective is not that the malware is particularly well-designed or that it leverages some unknown vulnerability through clever programming. Mirai is so effective because it is highly adaptable, allowing it to quickly take over newly released IoT devices.
Market ExplosionAccording to IDC, by 2020, the global IoT market is forecast to grow to nearly $1.7 trillion as a result of over 200 billion devices, a steep rise from 15 billion devices that are connected today. It seems that everyone is developing new IoT solutions for established industries to niche markets alike. Things are moving so fast that before one company starts selling their recently-announced internet-enabled security camera, half a dozen of other companies launch similar cameras to compete with them.
In a market like this, one cannot afford to delay the launch even by a single day. Security and optimization often have to give way to core features and Kickstarter promises. Consequently, people are adopting vulnerable products that directly access the internet, making them easy targets for malware such as Mirai.
Most people don’t even realize that they have been affected by IoT malware in the first place. The particular device may act up, the internet speed may occasionally drop to a crawl, but nothing worse usually happens. “The ultimate goal for many of these IoT threats is to build strong botnets in order to launch distributed denial of service attacks,” Symantec researchers say. In other words, end-users are not the primary target; they are merely a means to an end.
As such, customers themselves have very little incentive to do anything about the situation. Why pay $30 more for an older version of a LED light bulb and a few vague promises about security when the potential negative consequences of buying a less secure alternative seem so farfetched?
“The perfect storm is brewing that will pummel our Nation’s public and private critical infrastructures with wave upon wave of devastating cyber attacks. The Mirai malware offers malicious cyber actors an asymmetric quantum leap in capability; not because of sophistication or any innovative DDoS code, rather it offers a powerful development platform that can be optimized and customized according to the desired outcome of a layered attack by an unsophisticated adversary,” write James Scott and Drew Spaniel in the introductory paragraph to their Rise of the Machines research paper written in December 2016 for the Institute for Critical Infrastructure Technology.
Security as a PrioritySadly, there is nothing that can be done to slow down the huge influx of flawed IoT devices that are fueling humongous botnets such as Mirai. They will find their way to the market one way or another. According to Craig Spiezle, the executive director and president of the non-profit online security and privacy watchdog group the Online Trust Alliance (OTA), one answer is to develop a comprehensive IoT device certification program such as OTA’s Trust Framework.
“OTA released the IoT Trust Framework, a strategic set of foundational principles providing guidance for developers, device manufacturers, and service providers to help enhance the privacy, security, and lifecycle of their products,” explains the group on their official website. Their goals are similar to what the OWASP Internet of Things Project is trying to achieve. “The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.”
With effective IoT certification programs in place, the only thing left to do is raise consumer awareness about the importance of purchasing certified devices, instead of cheaply-made alternatives. This is where things start to look rather bleak. When we look back at email security, mobile malware, or even the recent spike in ransomware attacks, we can see a clear lag in consumer awareness. Usually, things have to spiral out of control so much that even mass media start reporting on the issue before consumers become aware of basic security precautions.
This could mean years of IoT Wild West, similar to the lack of web security during the early 2000s. “Mirai is certainly not going away anytime soon,” Holland says.
In the meantime, you can educate yourself on the issue, raise awareness about IoT security problems, use IoT security best practices, and, above all, think twice before exposing any part of your home, business, or physical infrastructure to the internet.