Mirai, the Internet-of-things malware that turns cameras, routers, and other household devices into potent distributed denial-of-service platforms, may be lying low, but it’s certainly not dead. Last week, researchers identified a new outbreak that infected almost 100,000 devices in a matter of days.
Over a span of 60 hours starting on November 22, the new Mirai strain was able to commandeer almost 100,000 devices.
As the underlying CVE-2016-10401 vulnerability description explains, affected ZyXEL devices by default use the same su, or superuser, password that makes it easier for remote attackers to obtain root access when a non-root account password is known.
The recently discovered Reaper botnet is significant because it doesn’t rely on passwords at all to spread. That raises the specter of outbreaks that infect devices even when owners or service providers have taken the time to change default credentials.
If the addition of two default credentials can recruit almost 100,000 new devices in less than three days, attackers likely have plenty of other ways to take over IoT devices in mass quantities.
IoT security vulnerabilities are going to continue to cause major problems for the Internet until countries enact minimum security baseline requirements. Consider we are expected to have 20 billion IoT devices online by 2020. If we continue to allow IoT manufacturers act like this is the wild west, things are only going to get exponentially worse.