It was all over the news this weekend. A sustained DDoS attack that caused outages for a large number of web sites Friday was launched with the help of hacked “Internet of Things” (IoT) devices. In a relatively short period of time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.
Early Friday morning someone aimed their DDoS attack on Dyn, a New Hampshire based Internet infrastructure company that provides critical DNS technology services to major websites. The attack immediately created problems for internet users of Twitter, Amazon, Tumblr, Reddit, Spotify, Netflix and a host of other websites.
This outage was similar to the recent DDoS attack on IT security reporter Brian Krebs’ site, caused by the Mirai botnet which consists of hacked IoT devices — mainly compromised of digital video recorders and IP cameras made by a Chinese hi-tech company called XiongMai Technologies.
The components that XiongMai makes are sold downstream to vendors and manufacturers who then use it in their own products. All credentials are hardcoded in the firmware and cannot be changed. This is a very dangerous practice and we need laws against this ASAP.
Who Is Learning How to Take Down the Internet?
Last month, IT security Guru Bruce Schneier created some controversy when he wrote that someone — probably a country — was learning how to take down the internet:
“Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don’t know who is doing this, but it feels like a large nation state. China or Russia would be my first guess.
These attacks are not new: hackers do this to sites they don’t like, and criminals have done it as a method of extortion. There is an entire industry, with an arsenal of technologies, devoted to DDoS defense. But largely it’s a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins.”
It’s either a large country, or these two other scenarios:
1) Someone tried to extort DYN and when they did not cough up the money, they decided to show them what they could unleash.
2) Anonymous and/or some other hacktivists decided to flex their virtual muscle and show netizens they are still a force to be reckoned with. Either way is disconcerting.
What can you do about this?
Well, not much EXCEPT keep your unnecessary IoT devices off the internet – don’t simply follow the manufacturers instructions and routinely connect everything to your WiFI connection. In the future, laws should be passed forcing manufacturers to build standard security functionality into these things making it somewhat safer for us consumers to use them.