How household devices brought down the Internet (And how to avoid a DNS attack)

A functioning DNS network vs. one that is under a DDoS attack. Image from the Wall Street Journal 10/24/16 article, "Cyberattack Knocks out Access to Websites."

A functioning DNS network vs. one that is under a DDoS attack. Image from the Wall Street Journal 10/24/16 article, "Cyberattack Knocks out Access to Websites."

Security experts have been reminding us that while the growth of the Internet of Things (IoT) has great potential, we must not lose sight of the need for device security. As the market has exploded – particularly with Smart Home ecosystem devices – the focus has been on deploying the latest (Artificial Intelligence) AI devices to consumers as fast as possible. The concern from security professionals has been that little regard has been paid for data security and protection from malware when building these cloud-enabled devices. A recent attack that brought down some of the world’s largest Internet services illustrates the warnings from security experts now appear well founded.

On October 18, unknown hackers used the Mirai malware bot network to hijack Internet of Things (IoT) devices to bring down large swaths of the Internet itself. The specific DDoS (Distributed Denial of Service) attack was on Dyn, a company providing critical Internet services to sites like Reddit, Twitter, Amazon, Spotify and Soundcloud. An attack of this scale is unprecedented, but could be an early hint of more to come.

If you didn’t notice the attack, that’s because Sinu implements 'smart’ DNS technology for all of our customers that caches and provides the latest good DNS information when current information is not available due to an attack. For Sinu customers, OpenDNS is already included in their service. Businesses that don't rely on Sinu's all-inclusive IT service may want to consider paying for safe DNS services from companies that offer added security and protection that haven't yet been implemented by many ISP's DNS servers. Verisign or OpenDNS, for example, provide detection and filtering software to prevent against harmful content and malware.

Fast Company described the DNS attack in detail saying, “The attackers apparently used tens of thousands of hacked internet of things devices—household appliances such as digital video recorders, security cameras, and internet routers—to generate a massive amount of digital traffic. That digital noise was sent to Dyn, a domain name service provider used by major online companies, disrupting its ability to translate human-readable internet addresses into the IP addresses networks use to route traffic.”

(For more info about how Domain Name Servers (DNS) work, see Sinu’s blog, Understanding DNS to keep your Data Safe.)  

Security experts have been warning developers about this potential for some time. In fact, Mashable reports that the site of esteemed security expert Brian Krebs, who has warned people about the potential for IoT security issues, was attacked by Mirai in September. They note, “generating 665 Gigabits of traffic per second, the incident became perhaps the biggest known DDoS attack since one noted by Akamai in June, which generated 363 Gigabits per second.”

Further, on October 12th, the U.S. Department of Homeland Security issued a warning to Sierra Wireless  consumers suggesting they change their password. Sierra Wireless is a multinational wireless equipment designer and manufacturer specializing in IoT devices. The warning specifically mentioned the Mirai malware bot network and the potential that Sierra Wireless devices could aid in a DDoS attack unbeknownst to its consumers.

Just three days prior to Dyn DDoS attack, Level 3 Communications published a blog analyzed the Mirai malware bot network noting the types of devices it targets: “Mirai targets IoT devices. The majority of these bots are DVRs (>80 percent) with the rest being routers and other miscellaneous devices, such as IP cameras and Linux servers. The devices are often operated with the default passwords, which are simple for bot herders to guess. From the source code it has been found that Mirai’s scanning protocol utilizes a list of generic and device-specific credentials to gain access to susceptible devices.”

In a video blog posted on Periscope shortly following the Dyn attack, Level 3’s chief security officer, Dale Drew, noted that between 500,000 and 550,000 devices have been hacked around the world and are now part of the Mirai network. The Dyn attack utilized just 10 percent of those devices meaning the scale of future attacks could have devastating consequences, far beyond the inconvenience of limited access to Twitter and Netflix.

IoT’s vulnerability to malicious attacks will only increase with the advent of more devices. Business Insider reports, “By 2020, more than 24 billion internet-connected devices will be installed globally — that's more than 4 devices for every human on earth.”

With the deployment of AI built within these software-controlled devices, the next big question we haven’t seen asked (yet) is whether this advanced DDoS attack could signal the future deployment of malware that can learn and adapt on its own, much like the AI equipped devices hijacked in the latest attack. Hijacking AI devices with AI malware could spell a host of new trouble if the companies developing the devices don’t soon begin building additional cyber security protocols into the hardware and software.

The question people are asking is: “What’s next?” People within the security community are speculating right now that the Dyn DDoS attack could be a trial run, and that a larger scale attack may coming in the near future. While no one has yet claimed responsibility for the attack, the FBI is investigating to see if it is part of a state-based effort, ISIS or simply frustrated hackers. Figuring out who is behind it will be helpful in the short-term, but in the long-term, the IoT market is going to have to ramp up its cyber security protocols quickly.

Most of us enjoy the conveniences of home IoT devices – from DVRs to routers and baby monitors. We strongly recommend you purchase cloud-enabled devices that require passwords. Further, hackers have been using default passwords as a means to hijack devices. We advise you to overwrite the default password issued with your device with a new, secure one (for tips on creating and managing strong passwords, see Data Security: Steps you can take today to protect your data).