October’s cyberattack used the ‘internet of things’ to attack the internet itself. Here’s why it could happen again.
Network cables of all lengths and colors have become household items as our devices are increasingly connected.
On Oct. 21, a cyberattack targeting Dyn, a New Hampshire company that provides domain registration services, "brought the internet to its knees," as numerous media put it. Websites for major outfits like the New York Times, Netflix and Twitter were all temporarily unavailable.
While this attack didn’t compromise personal data like bank accounts or Social Security numbers, cybersecurity experts agree that this won’t be the last mass internet outage we face. And next time, the damage could be even greater.
That’s because the internet has been made more vulnerable by us — or specifically, our connected devices. In the recent attack, hackers flooded Dyn's servers with web traffic in what’s known as a "distributed denial of service" (or DDoS) attack. And according to Andrea Peterson, a tech reporter for the Washington Post, that deluge of web traffic came from some pretty familiar places. (Do you know what your printer was doing on Oct. 21?)
“One of the most notable things about this — beyond the fact that it showed just how weak our internet infrastructure is, because you can attack this one company and take down a lot of really popular sites — was that the place that all this traffic came from was connected devices,” she says. “Security cameras, for instance. Baby monitors.”
In the Dyn attack, connected devices in ordinary homes and businesses worldwide were conscripted into a “botnet” (also referred to as a "zombie army") using malware called Mirai. Hackers were able to do this in large part due to the "internet of things." Although those networked things offer us convenience, unfortunately, they also make it easy to breach security on our assorted devices.
“A big problem is that a lot of devices have default passwords, and in some cases, those passwords are really hard or even impossible for everyday users to change,” Peterson says.
The Mirai malware scans the internet for connected devices that use one of 62 default usernames and passwords. Even that brief list is enough to give the malware access to hundreds of thousands of devices, security researchers say.
And while newer, brand-name devices are generally safer — and their security flaws patched more frequently — Peterson notes that low-end manufacturers often cut corners on security. But short of disconnecting our printers from the internet, she says, there are several things consumers can do to better protect themselves and their devices.
“You want to make sure your devices are behind a firewall, if you have one that you haven't been able to figure out how to change the password on,” Peterson says. “And also, try to change the password. If you set something up, and you don't know if it had a password on it, or you don't remember, try and find out. Look up the information with the manufacturer or try some other means, [like] Googling.”
As the internet of things expands, device security is becoming an issue of personal safety, as our cars and even medical technologies enter the cloud. Johnson & Johnson recently disclosed that one of its insulin pumps can be hacked at close distances. And while Peterson says it would take an unlikely combination of motive, access and skill to hack an insulin pump, the example underscores the need for consumer caution.
“It shows that there are some real-world physical safety issues that come about by these little errors that are made in code,” she says.
Companies can also take steps for better protection from internet outages. DNS providers like Dyn act as “phone books” for the internet, matching users who type in a URL to the IP address of the website they’re looking for. There are a few DNS providers out there, and in this case, Peterson says, redundancy could be a good thing for your business.
“A lot of companies don't even seem to realize that they are very dependent on this one service,” she says. “And in fact, there is a way that some of the sites could have avoided that problem [in October], which is registering with more than one company that provides the same service that Dyn provides.”
That kind of contingency planning could come in handy sooner rather than later. According to Peterson, the malware that was used to deploy October’s DDoS attack is widely available online.
“The code for this particular malware that was used was released on a popular hacker forum about a month ago,” she says. “And since then, pretty much anyone can actually use it to create their own network of these compromised devices to blast people with traffic.”
This article is based on an interview that aired on PRI's Science Friday.