Those of you who have been paying attention to the news already know that the major DNS outage last Friday is probably related to Mirai, a piece of malware whose source was released recently. You’ll also know that Mirai targets low-cost internet-connected embedded devices, and that it’s a comically incompetently written piece of code.
The idea that embedded devices would be vulnerable to attacks doesn’t even count as an open secret: the idea that major websites of the near future would be DDoSed by smart fridges was a cliche in some corners of the computer security world in 1999. Prior to around 2010, the dominant term for what we now call the Internet of Things was “ubiquitous computing” — a reference to Phillip K Dick’s novel Ubik, whose description of a group of appliances conspiring to extort and blackmail their human owner, now used as a parody of the “internet of things” concept, actually initially inspired it. The method that Mirai uses to get into these nodes is again an old one, familiar to war-dialers from the BBS era: Mirai iterates through a list of default username and password pairs until it gets a hit. Such lists are easy to find, and have been circulating on the internet since before it was called “the internet”.
In the early 90s, members of a hacking group called the L0pht made a public statement claiming that they could easily take down the internet, and unless security measures improve, someone with less impulse control would eventually do so. They weren’t bluffing; various methods of making the whole internet essentially unusable for long periods of time have been available for decades now, largely unpatched — it turns out that until now, few people have wanted to bother with such blunt instruments.
The general consensus in computer security that the human element is typically the weakest link isn’t without merit: in a competently secured system, humans are the most difficult element to lock down, and exploiting the human biocomputer requires less cleverness than exploiting a computer system. However, even when high stakes are involved, competence is not the norm: until recently, easily broken short PIN codes dominated online banking, and much banking infrastructure still relies upon things like account numbers and SSNs that conflate identification, authentication, and authorization; few systems implemented multi-factor authentication and nearly all systems will waive mutli-factor authentication in the face of a sufficiently convincing phone call; modern security practices have yet to penetrate industries like web dev and embedded systems development, where hardcoded authentication defaults, debugging backdoors, passwords stored as plaintext or unsalted hash, weak xor encryption against some arbitrary byte, and other awful behavior is tolerated or encouraged. We see from leaked documents that even the NSA is engaging in absolute idiocy, using Microsoft Word & its macro system for dealing with confidential documents and allowing those macros to contain commands that interact with the network.
Mirai, created by weebs, is full of in-jokes refering to chan culture and anime. Some people have taken this to mean there’s an association with Anonymous; however, the lesson of Mirai is that an association with Anonymous is totally unnecessary. The situation that Mirai takes advantage of is an old one; the only thing new about it is that even the dumbasses have realized that even a dumbass can take down the internet. The release of Mirai’s source has allowed script kiddies of an even lower skill level than Mirai’s authors to take advantage of the collective ignorance that end users have been allowed to partake in.
The name “mirai” was probably chosen because it sounds cool, but it’s very appropriate. “Mirai” means future, and Mirai is representative of our future: one where you don’t need to be 4chan to take down large chunks of the internet, but can get away with just being the junior high glee club.