UK becomes first country to ban default bad passwords on IoT devices
Seven years ago, a cyberattack left many of the most popular websites based in the United States inaccessible. For three extended periods on October 21, 2016, internet users were left without their doses of Twitter, CNN and Netflix among other popular sites.
Naturally there was speculation about the powerful threat actors who could have caused such a disruption. But the incident was not conducted by a hostile state. It turned out to be extremely unsophisticated, just a distributed-denial-of-service attack targeting Dyn, a company which provided Domain Name System (DNS) services — a critical part of the internet’s communications structure.
While the attack was unsophisticated, it was large. The volume of traffic sent to Dyn’s servers was generated by a botnet of internet-connected consumer devices from wireless cameras through to WiFi routers. The botnet, named Mirai after a Japanese cartoon, had been developed by a trio of U.S. citizens barely out of their teens, all of whom were soon arrested.
While they pleaded guilty just over a year later, their invention raised the specter of something much more long-lasting — the specter of just how much harm could be caused by sloppy security practices among Internet of Things (IoT) producers, particularly the widespread use of default usernames and passwords that allowed the Mirai botnet to automatically infect them and spread itself to around 300,000 devices, all of which could be ordered to target anything else connected to the internet.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25449917/PXL_20240510_013415094.MP.jpg)
