Oct 24, 2016Unless this is the first bit of tech news you've read since last week, you probably already know that hackers unleashed a massive Distributed Denial of Service (DDoS) attack on Dyn, a New Hampshire-based domain name system provider, last Friday. More accurately, there were three separate attacks, the first happening at 7 AM ET, which only affected East Coast servers, followed by a second attack that spread the damage to the West Coast. A third wave, according to Dyn, was unsuccessful. The hackers leveraged internet-connected cameras and other devices to create a botnet that perpetrated the attack. In other words, the Internet of Things took down parts of the internet on Friday.
Dyn says it is still analyzing the attack, but confirmed that the botnets were created with malware called Mirai. This Mirai-based tactic should surprise zero internet security researchers, because Mirai is the malware that hobbled KrebsOnSecurity.com, the website of Brian Krebs, an investigative reporter who covers cybersecurity, last month. After that then-unprecedented attack, the Mirai code was posted to the internet. So it was only a matter of time before it was used again.
"We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack," wrote Kyle York, Dyn's chief strategy officer, in a post about the attack.
Brian Krebs spoke with Allison Nixon, the director of research at security research firm Flashpoint, who, in a piece Krebs posted on Friday, said the Dyn attack involved mainly compromised DVRs and IP cameras made by Chinese hi-tech company XiongMai Technologies, which makes components sold to vendors who use them in consumer-facing products.
Krebs wrote that "…many of these products from XiongMai and other makers of inexpensive, mass-produced IoT devices are essentially unfixable, and will remain a danger to others unless and until they are completely unplugged from the Internet. That's because while many of these devices allow users to change the default usernames and passwords on a Web-based administration panel that ships with the products, those machines can still be reached via more obscure, less user-friendly communications services called 'Telnet' and 'SSH.'"
For years, security experts have been raising alarms regarding the low level of security with which many IoT devices are deployed. Security researchers even showed that they could hack into some internet-connected baby monitors, enabling a chilling new form of home invasion by surveilling a live video stream into children's nurseries. Manufacturers of such devices that were exposed as being highly insecure issued patches or discontinued sales, but some of those cameras are likely still in use. Once a product is out in the world, it can be very difficult to retroactively address its security vulnerabilities.
This is probably not the last time insecure IoT devices—some that have shockingly obvious factory-default logins and passwords, such as "admin" and "12345"—will be forced into service to do a hacker's bidding. But unlike past attacks, Friday's DDoS impacted many Americans (including this Twitter user), if even for a short amount of time. Important news sites, including The New York Times, were inaccessible, and some users had difficultly logging onto PayPal. So while the attack affected people only for a very short amount of time, its sting is perhaps strong enough to push the security of IoT devices—especially of things like IP video cameras or other devices that are increasingly popular among consumers—into the national discussion.
This weekend, I attended a retrospective exhibition about the internet—ironic, given the fact that the DDoS attack is all over the news. Through exhibits and artwork, the event looked back to the early days of home modems and networking equipment, and to some of the early do-it-yourself website platforms for consumers, such as the now-defunct GeoCities. The experience elicited many memories for me, such as building my own computer, around 1995, using store-bought components and with the much-needed help of a friend who was studying computer science. Even though we all relied on painfully slow internet connections back in the pre-broadband days, there was so much magic and potential in the internet.
These days, my reliance on the internet is truly profound. I literally rely on it for my livelihood. And, of course, it powers much of my day-to-day communications.
Yet, for all the time I spend reporting on the Internet of Things, I really don't dabble in it. Aside from a smartphone and laptop, I have no IoT devices. I manually control my thermostat. I do not receive a text message when my washing machine completes a cycle. I need to walk through my front door before I can turn my lights on.
My home remains disconnected from the IoT for a long list of reasons, including concerns about digital security. But I still want manufacturers of IoT devices to improve the security of the products they sell, and I want retailers, brands and service providers to talk about digital security more, so that consumers who do use IoT devices can feel compelled and empowered to adopt practices that will result in safer networks.
Setting, and periodically changing, your own passwords is not the only tool consumers wield in the fight for a safer IoT. We can also demand that the brands and retailers from which we purchase internet-connected devices provide us with products compliant with the latest industry-vetted security standards. Someday, the U.S. Congress and government agencies may require that manufacturers of connected devices meet higher data-security standards. In the meantime, the most effective motivator will be exposing security vulnerabilities. If there is a silver lining to the type of hack that the web experienced on Friday, it is that exposure.
Reuters is reporting that XiongMai Technologies is recalling some of the internet-connected video cameras and DVRs that were leveraged in Friday's DDoS and are presumably still hackable even with updated passwords. To me, that is good news, because if the IoT is safer, the internet is safer, and my livelihood is safer—and yours probably is, too.
Mary Catherine O'Connor is the editor of IoT Journal and a former staff reporter for RFID Journal. She also writes about technology, as it relates to business and the environment, for a range of consumer magazines and newspapers.
