The massive distributed denial of service (DDoS) attack that hit domain name system provider Dyn on Friday brought home a chilling reality: All of the gadgets that consumers and businesses have been connecting to the Internet of Things can be weaponized.
The attack, which temporarily crippled traffic to dozens of major web services on Friday, was especially troubling because the number of connected devices is bound to increase in the years ahead. Research firm Gartner expects 6.4 billion connected things will be in use worldwide this year, with that figure forecasted to reach 20.8 billion by 2020.
Dyn serves as a hub and routing service for internet traffic, and the attack temporarily shut off access to Twitter, Netflix, Spotify, Box, GitHub, Airbnb, Reddit, Etsy, SoundCloud and other sites. According to Kyle York, Dyn’s chief strategy officer, the incident was “a sophisticated, highly distributed attack” involving tens of millions of IP addresses. Dyn is still investigating the root cause and source of the attack, but York said it came from “multiple attack vectors and internet locations,” and that, on coordination with analysis from Flashpoint and Akamai, one source of the traffic for the attacks were devices infected by the Mirai botnet.
“We observed tens of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack,” York said. However, the number of devices involved in the attack was probably around 50,000, according to Chester Wisniewski, principal research scientist in the office of the chief technology officer at cybersecurity firm Sophos.
What is Mirai? As security researcher Brian Krebs noted in a blog post on Friday, it was late last month when “the hacker responsible for creating the Mirai malware released the source code for it, effectively letting anyone build their own attack army using Mirai.”
Mirai is a kind of malware, a botnet, that takes control of internet-connected devices and then uses them as a group to attack. Krebs explains: “Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.”
ZDNet reported that Chinese electronics firm Hangzhou Xiongmai said in a statement that “hackers were able to hijack hundreds of thousands of its devices into a botnet because users had not changed the devices’ default passwords. The botnet then flooded Dyn’s servers with traffic, which led to its systems overloading and failing.”
Xiongmai has issued a recall for webcams that may have been involved in the attack, but the firm rejected suggestions that the webcams comprised the majority of the devices used in the attack, according to the BBC. “Security issues are a problem facing all mankind,” the firm said. “Since industry giants have experienced them, Xiongmai is not afraid to experience them once too.”
Morey Haber, vice president of technology at BeyondTrust, an identity and vulnerability management firm, says that the attack proves that compromised IoT devices, botnets, and a targeted DDoS attack “can be effective on a large scale and can disrupt major companies that rely on the internet.
“It also raises the question as to whether this attack was a precursor to a larger attack, a test similar to DDoS attacks three weeks ago in France, or if the owners of the botnet have a more devastating plan in place awaiting activation,” he says. “This was just another test mission. Everyone from the board room to government entities should take notice. This could be potentially our last real warning before a sustained attack. The real problem is how we got to this point.”
Haber says that IoT devices “are the dumbest and simplest devices to be connected to the internet” and have “basic security, can have hard coded passwords, and no methods for patching vulnerabilities or controlling privileges.”
Using elementary hacking techniques, malicious actors are renting out botnets to attack and control IoT devices, Haber says.
Haber argues in favor of legislation mandating stronger security protections for IoT devices before they are produced and shipped, and says that because every nation is vulnerable to such attacks there is a greater prospect for international cooperation.
Companies and organizations cannot adopt a reactive and defensive posture to such threats, he says, and should instead focus on improving the security of connected devices from the start.
However, Wisniewski says that such legislation “can help prevent, but not resolve, these issues,” and that IoT devices that have become part of the Mirai botnet are spread around the world, “and no one government can stop foreign devices from attacking them.”
Minimum safety standards for IoT devices are needed, Haber says. “Otherwise, we are just going to continue to introduce devices that bring unnecessary risks to the internet,” he says. “We would never put them ‘as is’ in our business, so why would we trust them publicly? My advice: Patch your systems, cycle your passwords and restrict privileges as much as possible.”
Wisniewski agrees and says that “this is a much bigger issue than can be solved by one vendor and one vendor’s products. What’s needed is industry standards and best practices, including thoroughly testing devices for security issues before shipping them to consumers, abiding by best practices and making sure that there is a clear mechanism for patching bugs — and that mechanism must include notifying the owner of the device.”
The Mirai botnet or one like it could be used to take down just about any organization, Wisniewski argues. Businesses, he told BizTech, should have “an anti-DDoS plan or strategy that helps position them to continue operations if critical components in their infrastructure are unavailable,” similar to how businesses prepare for nature disasters like hurricanes or earthquakes. Such plans might also include subscribing to third-party services that can help mitigate the attack, he says.
Dyn also has advice for companies: Diversify your internet infrastructure partners. “We have advocated for years for redundancy in your infrastructure,” York told Fortune. “I don’t think you can ever be safe enough or redundant enough.” York said clients who used multiple servers “saw less of an impact” during Friday’s DDoS attack.