[hannob]

I think the answer is surprisingly simple: The attack was just huge.

The unfortunate truth is that with the Internet of Things the amount of devices that can easily be taken over has grown so fast that we see DDoS attacks of unprecedented size. Even more unfortunate is that there is no sign whatsoever that this is going down again.

[ryanlol]

>The unfortunate truth is that with the Internet of Things the amount of devices that can easily be taken over has grown so fast that we see DDoS attacks of unprecedented size.

Not quite, the "IoT" botnets are particularly small in the great scheme of things. Google "conficker" for example.

Edit: Interesting how this is getting downvoted so much. Conficker had up to 15 million nodes, far bigger than any "IoT" net (when did home routers become IoT anyway?). It's far easier to build such huge windows nets because you get millions of insecure computers with relatively standard hardware and software, not so much with "IoT".

In the past decently sized botnets simply weren't used to send DDoS attacks as much, that's all that's changed.

[ericcholis]

Does anybody have solid recommendations for secure IoT devices? Initial searches lead me to believe that they are non-existent.

[drather19]

Where's the pain-free device with open source, easily upgradeable firmware, that puts all of our IoT devices in their own private network but lets us tunnel through to them? It needs to be easy enough that our (grand)parents could pick one up on Amazon, Best Buy, or Home Depot and plug in and go...

[fakir]

If these are connected by cellular, they are given a private network that does not connect to the public internet and are in-accessible from the public internet unless the app provider explicitly chooses to do so

[detaro]

Most better home routers can restrict devices connecting to the internet (either through the Firewall or more comfortably configured through family filters) and offer VPNs to the internal network?

[dom0]

It's called PLAN (short for physical LAN). It doesn't need a managed switch, like VLAN, because you just use one switch for each network. Careful: Don't connect them.

[mathrawka]

Change the default admin password.

The original Mirai program tried a little over 60 passwords and it would just brute force into an IoT device.[1]

From what I read, it seems that one specific manufacturer in China is the owner of a lot of devices used in the Mirai botnet attacks.[2]

1: https://github.com/jgamblin/Mirai-Source-Code/blob/master/mi... 2: (I cannot find the link, but it was an article from yesterday)

EDIT:

Found this when googling the strange '7ujMko0admin' password in Mirai: http://www.cam-it.org/index.php?topic=9396.0 So it looks like the Chinese manufacturer that they target is Dahua.

[wgyn]

Brian Krebs pegged a company called XiongMai: https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powe...

[nerdy]

That article also mentions the credentials are in the firmware.

[markonen]

Apple's HomeKit supports Bluetooth-only devices. Seems like a good design choice right about now.

[ryao]

Until Web Bluetooth opens those devices to exploitation from internet websites. It would be best if Bluetooth remained isolated from web browsers, but the powers that be want websites to be able to talk to them.

[joshmn]

Well, a good initial step is usually changing the default password.

[snowwolf]

A good initial step is not to have a default password. There was a time when all routers came with a default password and people were told to change it. They didn't. Now most new routers come with a randomly generated unique password printed on a sticker under the router. IoT devices should follow the same practice.