Well, it’s happened. The Internet of Things did us in. We can’t use it. It’s going to shut us down. My fridge just swallowed my kid.
This past Friday we saw one of the largest attacks on the internet to date, and it was fueled by Internet of Things-connected devices. This means that the Internet of Things is just not ready for prime time…right? Well, it’s more complicated than that. If done right, Internet of Things devices can deliver on the promise. What we’re seeing, however, are gaps not being covered by vendors and those using the products. This happens in emerging spaces very often. I’m not looking to excuse behavior, but only point to how nascent this market is. I’m also in no way looking to blame users on this. Unless we start thinking about how we work with security as consumers and vendors for these devices, we will see this continue. Over the next few days, I’m going to put up a series of posts on how we can do that. Here are CRT, we focus on educating consumers about the Internet of Things, including how they can keep themselves and their devices safe. This first post aims at addressing what happened.
Two large-scale attacks have been unleashed on the internet using Internet of Things-enabled devices. Specifically, these were security cameras, DVRs and storage devices that had default credentials on them and were accessed using software called Mirai. A little over a month ago, this weapon was used to target security researcher Brian Krebs. Last week, you may have noticed that a lot of sites (Netflix, Twitter, Spotify, as well as some real estate sites) were inaccessible or not working properly.
You may have heard of DDoS attacks before. DDoS stands for ‘distributed denial of service’. What happens in a DDoS attack is that hackers use bots (essentially other people’s computers) to send a LOT of traffic at either one particular website or a server. This type of attack puts that website out of commission because it is receiving way more traffic than it can handle and it causes the site to go down and become inaccessible. As I’d said, the main tool in creating these attacks were other people’s computers. Hackers will gain access to these computers through various means: phishing, viruses, and links on the web that you click on, to name a few. This is why having security software like antivirus and malware scanners is really important.
In this attack, using a program called Mirai (‘Future’ in Japanese), the hackers scanned IoT devices and looked for those devices that had default passwords or hard-coded credentials. When they found matches, they took control of them and used them in their attack. The attack on Brian Krebs’ site saw about 620 gigabytes per second of traffic for a sustained period of time. Luckily, Krebs was working with Akamai (one of the Internet’s largest content provider networks) to keep his site up and they succeeded. Brian notes on his blog that Akamai said this was twice the traffic they’d previously seen in this type of attack.
Moving to last Friday, rather than target one person or site, the target was a company called Dyn. Dyn provides DNS (domain name system) services for the internet. What this means is, for example, when you type in ‘crtlabs.org’, it is mapped to an IP address for our site. This mapping helps you get to our site. Dyn does this for countless numbers of sites. Some of their biggest clients were taken down in this attack. According to Dyn, over 10 million
devices IP addresses* were used to send traffic in the attack. Details are still emerging.
The real issue in both cases is how the attack was carried out. Using the Mirai software (and maybe other bot software) millions of IoT devices were scanned and found to be using default passwords and usernames. Once the devices were under the control of hackers, all they had to do was set up when and where they wanted to attack. This does not mean that the Internet of Things is the problem. What it means is our (vendors’ & consumers’) best practices around security and hardening our devices are the problems.
Tomorrow, we’ll look at what we can do to mitigate and prevent these style of attacks.
* UPDATE 10/25/2016 – The difference between IP addresses and devices in this instance is that you can have many IP addresses for one device. So, according to this post on Threat Post, about 550,000 devices are affected by Mirai. Of those, 10% were used in the attack on Friday. This comes to about 50,000 devices sending 10 million requests.