Home devices could attack the internet again
SAN FRANCISCO — The huge cyberattack that crippled the internet and disabled dozens of websites Friday appeared to be the biggest attack of its kind that the world has ever seen.
But it may not hold that title for for long.
What made last week’s internet takedown so effective — and sinister — was how the attackers weaponized everyday devices like security cameras, digital video recorders and baby monitors.
Taking advantage of the devices’ web connections, hackers could infect them with malicious software and use them to paralyze huge portions of the internet with a barrage of junk data in what is known as a distributed denial of service, or DDoS, attack.
For many, the breach was a stark demonstration of just how insecure the internet remains. To some, it also felt like a call to action.
At a time when everything from televisions to refrigerators to kids’ toys are being equipped with an internet connection, experts and legislators said, something ought to be done to ensure the security of these devices.
Yet there is little consensus around who should bear that responsibility.
“There aren’t just one or two types (of Internet of Things devices), there are tens of millions,” said Jeremiah Grossman, Sen-
tinelOne’s chief of security strategy. “So what we can expect going forward is a lot more of the same ... look out Election Day. Look out Cyber Monday.”
The so-called Internet of Things encompasses a wide array of electronics: smart washing machines that will text you when your clothes are done, refrigerators that can order more groceries, wearable tech that can monitor your biorhythms, and talking toys that respond to words uttered by children.
Every year, more appliances are being made that connect to the internet. Securing them is often an afterthought, experts said.
Many consumers, for instance, don’t see the danger in leaving a default password on a smart microwave, said Brian White, the chief operating officer for security firm RedOwl Analytics.
This is the attitude hackers bank on. If they can crack into a device using an easy-to-guess password, they can turn an everyday DVR into a zombie device enslaved to malicious software that can be used in attacks such as Friday’s.
Companies have long been held accountable for securing their own websites — banks, for instance, have security systems in place. But Internet of Things manufacturers are not required to guarantee a base level of security in the devices they create.
And when the priority is making the most inexpensive device possible, Grossman said, makers often skimp on things like security features.
Information security “people have been screaming bloody murder about this for years,” Grossman said. “Everything from cameras to toasters, refrigerators, microwaves. And because there’s no regulation, the manufacturers don’t need to make sure these devices ship with any security whatsoever.”
No single government agency oversees the devices or practices of the Internet of Things, though several have limited authority over parts of it.
Since Friday’s Internet blitz, some legislators have begun calling for greater government intervention.
Friday’s attack targeted Dyn, an Internet infrastructure firm that, among other things, provides domain name services and online traffic management to hundreds of companies, including Amazon, CNN, GitHub, Twitter, Netflix, PayPal, Reddit, Zendesk and the New York Times, among many others.
In a DDoS attack, hackers typically deploy a botnet, or a network of compromised computers, to send phony traffic to a specific site or server with the intent of overwhelming it so it cannot respond to queries from real people.
What made the attack different was that it used a botnet seen only once before — last month in a record-size attack against cybersecurity journalist Brian Krebs’ website. The botnet, known as Mirai, used infected cameras spread across the world to send waves of traffic at Dyn’s DNS system at unprecedented rates.
Mirai continually scans the Internet for devices and then attempts to gain access to them by using a known default password or exploiting a weakness in outdated software.
Kyle York, Dyn’s chief strategy officer, said the company was able to mitigate the first two waves in a matter of hours, and fended off a third without customers seeing an impact.
But Dyn’s attackers may not have been using the full brunt of Mirai’s force.
Level 3 Communications, an Internet service provider based in Colorado, began monitoring the Mirai assault in the midst of its attack on Dyn. Level 3 reported that only about 10 percent of devices compromised by Mirai were deployed in Friday’s attack.
It has not yet been determined who was behind Friday’s attack. But because the code behind Mirai was leaked after the attack on Krebs, it could have been anyone.
Activist hacker groups Anonymous and New World Hackers claimed they were responsible.
But security experts and U.S. officials said they had their doubts about the groups’ boasts.