By Steven Melendez, Fast Company
On Friday, a series of massive distributed denial of service attacks disrupted access to major internet services including GitHub, Twitter, Spotify, and Netflix.
The attackers apparently used tens of thousands of hacked internet of things devices—household appliances such as digital video recorders, security cameras, and internet routers—to generate a massive amount of digital traffic.
That digital noise was sent to Dyn, a domain name service provider used by major online companies, disrupting its ability to translate human-readable internet addresses into the IP addresses networks use to route traffic.
(Learn More, ‘Hacked: Who’s Responsible for Today’s Web-Host Siege?’ Courtesy of Bloomberg)
The attack came after years of warnings from security experts that the makers of many internet-enabled devices paid too little attention to security, shipping internet-connected hardware with preset passwords, insecure default connections, and other vulnerabilities.
“It is just a matter of time until attackers find a way to profit from attacking IoT devices,” a report from security firm Symantec warned last year.
“This may lead to connected toasters that mine cryptocurrencies or smart TVs that are held ransom by malware. Unfortunately, the current state of IoT security does not make it difficult for attackers to compromise these devices once they see the benefit of doing so.”
Hackers and security researchers have previously exploited vulnerabilities to get access to devices like baby monitors and webcams.
Researchers from security company Pen Test Partners even demonstrated earlier this year how hackers could install ransomware on an Internet-connected thermostat, leaving victims sweltering or shivering until a ransom is paid.
And in Friday’s attack, compromised IoT devices were coordinated as part of a botnet—a network of hacked machines essentially turned into remote-controlled robots by malware—dubbed Mirai.
Between 500,000 and 550,000 hacked devices around the world are now part of the Mirai botnet, and about 10% of those were involved in Friday’s attack, said Level 3 Communications Chief Security Officer Dale Drew on the internet backbone provider’s Periscope channel Friday.
“With a rapidly increasing market for these devices and little attention being paid to security, the threat from these botnets is growing,” according to a blog post published by Level 3 just days before the attack.
Mirai-controlled devices were also key components in a September denial of service attack on Krebs on Security, the high-profile blog by security journalist Brian Krebs that’s both required reading for many in the industry and a juicy target for the hacking groups Krebs covers.
(Learn More. One of the biggest web attacks ever seen has been aimed at a security blogger after he exposed hackers who carry out such attacks for cash. The DDoS attack was aimed at the website of industry expert Brian Krebs. Courtesy of Hotnews and YouTube)
At the time, Krebs reported that the attack was the largest ever seen by content distribution network provider Akamai, nearly twice the size of the existing record holder.
It’s also unclear whether the botnet’s initial creators are directly behind the attack on Dyn or whether they’re effectively selling access to the attackers.
“The person who’s buying time on that bonnet could be buying time on quite a few other botnets as well,” Drew said on the Level3 Periscope channel.
The Department of Homeland Security and Federal Bureau of Investigation have said they’re investigating Friday’s attack.
Security experts advise users of IoT devices to take simple steps like changing default passwords and installing any security updates that manufacturers provide, but it can be difficult to make many such devices fully secure against a determined hacker.
Some manufactures don’t provide updates at all, and some only provide them through an insecure online channel, letting hackers effectively generate their own malicious updates, according to last year’s Symantec report.
“Unfortunately, it is difficult for a user to secure their IoT devices themselves, as most devices do not provide a secure mode of operation,” according to the report, which also urged manufacturers to implement basic security measures on their connected products.
Requiring users to set their own secure passwords when setting up the devices, and disabling unneeded avenues for remote control, would help keep hackers out, according to Level 3’s Mirai report.
Users can often also configure the devices to disable remote login to the devices and use free tools to make sure those connections are actually disabled, according to Imperva.
“With over a quarter billion CCTV cameras around the world alone, as well as the continued growth of other IoT devices, basic security practices like these should become the new norm,” according to the company.
“Make no mistake; Mirai is neither the first nor the last malware to take advantage of lackluster security practices.”