On Friday, U.S. DNS provider Dyn experienced a huge DDoS (distributed denial of service) attack that knocked out much of its service. The company acts as a kind of address book for the Internet, routing requests for websites to the servers that host them. Dyn is used by companies including Amazon, Netflix, Reddit, Spotify and Twitter. These services were inaccessible in the U.S. for much of Friday.
Dyn said “tens of millions” of unique devices located around the world were used to bombard its servers with traffic. Security researchers and analysts now believe the attackers hijacked “Internet of Things” (IoT) products for the assault, linking them together into a massive botnet controlled by the Mirai malware.
Mirai seeks out smart home accessories that have weak security. Often, IoT products are very poorly protected, leaving themselves vulnerable to attack and weaponisation. A common flaw is the presence of factory-default usernames and passwords on every device. Once Mirai finds a product it knows the credentials for, it hijacks it and adds it to the botnet.
The devices used in the attack were mostly digital video recorders and internet-connected webcams built by XiongMai Technologies, a Chinese technology company. The firm makes IoT components that are then sold to vendors for inclusion in their own products. This business approach means there are millions of devices that could be hijacked using XiongMai’s factory user account settings.
Cybersecurity expert Brian Krebs warned that these products, along with scores of other mass-produced IoT devices, are “essentially unfixable” and pose a danger to others “unless and until” they are disconnected from the Internet. Once the attacker has ascertained the default username and password, they can use remote communication services to access a usually hidden system console.
This affords the attacker complete control of the device, giving them the ability to run commands, access data or upload a new, maliciously compromised firmware. There is usually no way the end-user can modify the factory credentials so it’s very difficult to properly secure a vulnerable product. During a scan of the Internet on October 6, researchers at Flashpoint Security identified over 515,000 devices that could be hijacked in this way.
On Friday, hackers exploited these vulnerabilities to link routers, IP cameras, smart lighting systems, DVRs and other mundane household items together. The massive botnet was then used to push vast amounts of data to Dyn’s servers, overwhelming its data centres and pushing much of the Internet offline. The attack has prompted calls for greater protection to be placed around the infrastructure that powers the web, as well as heightened concern for the chaotic nature of IoT security.
Krebs said a “global clean-up effort” is required so the security of the Internet and IoT can be ensured. “In my humble opinion, this global cleanup effort should be funded mainly by the companies that are dumping these cheap, poorly-secured hardware devices onto the market in an apparent bid to own the market,” said Krebs. Last month, the researcher faced a record-breaking 620Gbps cyberattack on his own website. It was also driven by the Mirai malware.
The mass offensive on Dyn has served as a reminder that the Internet is not the always-on platform most assume it to be. Traditionally, cyberattacks have been aimed at a single site. The rise of attacks on the web’s infrastructure is a concerning trend that threatens to impact multiple businesses with each attack.
The advent of open-source malware like Mirai and the use of IoT products to power botnets is another step forward in the arsenal of hackers. It makes it easier than ever to launch overwhelming attacks on increasingly larger targets.
