Hackers could easily hijack millions of Android smartphones and turn them into a DDoS botnet that would dwarf the Mirai attack tool and cause untold disruption, Lookout’s security research chief has warned.
Speaking to V3, Mike Murray said it would be easy for cyber crooks to take over millions of smartphones, noting how often the widely used Android OS requires patching.
“The thing that blows my mind about that [Mirai] is that there were 12 million of those cameras [used in the attack]. There are a billion Android phones and there have been about 300 vulnerabilities that Google has issued patches for Android over the past three months," he said.
“All it takes is someone to take that exact same software and flip it to use on an Android vulnerability and the botnet would be ten times the size [or Mirai]."
Murray said such a botnet could be easily formed by creating a malicious app, or even just a virus-laden text message, that would spread between devices, and then lie dormant awaiting the attackers instructions.
“A crook could send a text message with a picture attachment that would, the moment you open it, immediately infiltrate your phone and also send itself on to all your contacts and so on,” he said.
Murray noted iOS devices could also be exploited in this manner but that it would require a zero-day flaw, whereas Android flaws are often made public but left unpatched for months as updates are slow to roll out to all devices.
He said that such a botnet would have huge potential, and would likely be able to overwhelm almost any website or core internet infrastructure system.
“The destructive nature of that kind of threat would be ridiculous,” he said.
Murray added that while this had the ring of a ‘doomsday prediction’ that security researchers often make the ease with which a smartphone botnet could be created makes it far more real.
“Usually the doomsday scenario is pretty contrived and takes a lot of work – but this is literally what happened last week but all it will take is someone the coded differently so it runs on phones instead of cameras,” he said.
“There is zero technological reason that doesn’t happen.”
Murray said since the success of Mirai it is likely many people’s eyes will have been opened to just how powerful DDoS cannon can become when millions of devices are used in an attack.
“To have a botnet so large you can overwhelm a DNS provider that provides DNS services for core internet infrastructure, that’s unheard of,” he said, referring to the attack on Dyn.
“As people realise the value of that as a weapon it’s not hard to imagine someone saying ‘how do I get more devices’ and realizing the easiest way is the phone.”
“I think it only hasn’t happened yet because until last week no-one had really realised they could do this, no-one had amassed a 12 million camera botnet, but now they’ll be thinking ‘if I had a 100 million phones, imagine what I could do.”
The impact this could cause would be potentially devastating, particularly if it targeted government service, such as tax return systems on a filing deadline.
Of course such an idea could well be of interest to nation state actors such as Russia or North Korea, although Murray said he thinks it unlikely nation states have been behind anything so far, echoing others in the security community.
“The weird one about this [Mirai] is if it was Russia, or North Korea, I don’t think they would open source the code,” he said, although he noted this could of course itself be misdirection.
“If you open source code then no-one can attribute to anyone. Attribution is hard at best of time, but if you put it out there, attribution is impossible.”
V3's sister site Computing is holding its annual Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, so register now.
Citrix claims Workspot has 'continued to mislead the market' and use Citrix-patented features
Using proven technology from wireless, coax and ADSL/VDSL communication
Touts crowding genuine fans out of the market, claims government
Users complain they haven't been able to access their accounts or withdraw money