You know all of those cool, sci-fi gadgets that people are beginning to get that are connected to the Internet in their homes? The voice-controlled thermostats, the wireless printers and cameras, the home security systems, the food scale that sends the calories to your phone app, those “smart” appliances that text you to pick up milk, and the DVRs that can be programmed via your phone from work?
Apparently, those things may not be so smart after all because they played a big role in the cyber attack that took place last Friday. Security analysts believe that Friday’s attack on popular websites such as Reddit, Twitter, Netflix, and Spotify was the first one carried out by hackers who used the “Internet of Things.”
Here’s how the Internet of Things works:
The attack was on one service: Dyn.The massive attack took down the Internet across the country. The website Downdetector provided a map that shows how much of the US was affected:
The attack was on one company, and everything else fell over like a row of dominoes.All of the companies involved use Dyn, a cloud-based Internet performance management company.
Dyn was the target of the attack, and that, in turn, affected other companies.
Dyn is sort of like a phone book that directs users to the Internet address of the website. On Friday a distributed denial of service attack, (DDoS) affected Dyn by sending thousands of messages at the same time, which overwhelmed the service.
Security company Flashpoint said it had confirmed that the attack used “botnets” infected with the “Mirai” malware. From their site:
Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware. Mirai botnets were previously used in DDoS attacks against security researcher Brian Krebs’ blog “Krebs On Security” and French internet service and hosting provider OVH. Mirai malware targets Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks. Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures (TTPs) associated with previous known Mirai botnet attacks.
While Flashpoint has confirmed that Mirai botnets were used in the October 21, 2016 attack against Dyn, they were separate and distinct botnets from those used to execute the DDoS attacks against “Krebs on Security” and OVH. Earlier this month, “Anna_Senpai,” the hacker operating the large Mirai botnet used in the Krebs DDoS, released Mira’s source code online. Since this release, copycat hackers have used the malware to create botnets of their own in order to launch DDoS attacks. It is unknown if the attacks against Dyn DNS are linked to the DDoS attacks against Krebs, OVH, or other previous attacks. Given the proliferation of the Mirai malware, the relationship between the ongoing Dyn DDoS attacks, previous attacks, and “Anna_Senpai” is unclear.
Coincidentally, many of the vulnerable “smart” devices are made in China.Many of the devices involved come from Chinese manufacturers, with easy-to-guess usernames and passwords that cannot be changed by the user – a vulnerability which the malware exploits. According to the BBC:
“Mirai scours the Web for IoT (Internet of Things) devices protected by little more than factory-default usernames and passwords,” explained cybersecurity expert Brian Krebs, “and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.”I’m sure those easy passwords and vulnerabilities aren’t deliberate. China would never sneak Trojan horses into the USA, would they?
The owner of the device would generally have no way of knowing that it had been compromised to use in an attack, he wrote.
Mr Krebs is intimately familiar with this type of incident, after his website was targeted by a similar assault in September, in one of the biggest web attacks ever seen…That attack began around 8 p.m. ET on Sept. 20, and initial reports put it at approximately 665 Gigabits of traffic per second. Additional analysis on the attack traffic suggests the assault was closer to 620 Gbps in size, but in any case this is many orders of magnitude more traffic than is typically needed to knock most sites offline. (source)