ars technica: Manufacturers design these devices to be as inexpensive and easy-to-use as possible. by Dan Goodin
'Consumers often have little technical skill. As a result, the devices frequently come with bug-ridden firmware that never gets updated and easy-to-guess login credentials that never get changed. Their lax security and always-connected status makes the devices easy to remotely commandeer by people who turn them into digital cannons that spray the Internet with shrapnel. On Thursday, security firm Symantec cataloged 11 different families of IoT malware that do just that.
'"The current IoT threat landscape shows that it does not require much to exploit an embedded device," Symantec researchers wrote in the report, which was headlined "IoT devices being increasingly used for DDoS attacks." "While we have come across several malware variants exploiting device vulnerabilities—such as Shellshock or the flaw in Ubiquiti routers—the majority of the threats simply take advantage of weak built-in defenses and default password configurations in embedded devices."
'The growing supply of IoT malware is creating a tipping point in the denial-of-service domain that's giving relatively unsophisticated actors capabilities that were once reserved only for the most elite of attackers. And that, in turn, represents a threat to the Internet as we know it.
'Of course, if a ragtag band of quasi-hackers can disrupt KrebsOnSecurity, they can disrupt plenty of other sites, too. And this should concern not just the Googles, Apples, and Microsofts of the world but their everyday users as well. Krebs said the threat "screams out" for the kind of industry-wide collaboration that's come together to counter previous threats, including the DNS spoofing bug researcher Dan Kaminsky disclosed in 2008, the Conficker worm that infected huge swaths of the Internet the same year, or the GameOver botnet from last year. Sadly, Krebs said he sees no signs of such cooperation now.'