“In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters,” tweeted Jeff Jarmoc, head of security for global business service Salesforce.
Jamroc’s comments came after one of the largest cyber attacks in history brought down several of the internet’s biggest sites just over a week ago. The hackers used internet of things (IoT) enabled devices such as video surveillance cameras and printers, to overwhelm the popular DNS service Dyn, used by all the affected sites.
A DNS service is a fundamental element of the web’s infrastructure, it works like a phone book for the internet, directing users to an internet address where a website is stored. Dyn is one of the most popular DNS services in the world with clients including Twitter, Spotify, and Reddit, whose sights were all taken offline as a result of the DDoS attack, as confirmed by Dyn:
“On Friday October 21, 2016 from approximately 11:10 UTC to 13:20 UTC and then again from 15:50 UTC until 17:00 UTC, Dyn came under attack by two large and complex Distributed Denial of Service (DDoS) attacks against our Managed DNS infrastructure,” the companies official statement reads.
A DDoS attack uses a network of devices infected with a special malware, known as a “botnet,” that are synchronized to barrage a specific server with a massive amount of traffic until it collapses under the strain.
“Early observations of the TCP attack volume from a few of our datacenters indicate packet flow bursts 40 to 50 times higher than normal… There have been some reports of a magnitude in the 1.2 Tbps range; at this time we are unable to verify that claim,” states Dyn.
According to cyber security company Flashpoint, the attack was launched largely through a Mirai-based botnet. Fascinatingly, Allison Nixon, director of research at Flashpoint, said the botnet used in the attack was built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies.
“It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said.
To add to the controversy, the Mirai software used in the attacks was actually released publicly last September, shortly after it was used to target the site of cyber security blogger, Brian Krebs. Krebs had recently released an article naming two men associated with an Israeli cyber-attack-for-cash service called vDos.
The article had prompted the mens’ arrest, release, and 30-day internet ban and, buried deep in the data packages sent to Krebs was a call for the release of one of the men. “I can’t say for sure, but it seems likely [to be] related,” said Krebs.
The public release means anyone with enough computer skills could potentially build their own advanced botnet and launch an offensive. In addition, the growing world of connected devices brought about by the IoT is acting as ammunition for anyone with the skill, and will, to wield it.
In smart buildings alone “we expect over 3.6 billion devices installed by 2021,” suggests a recent report from Memoori – The Internet of Things in Smart Commercial Buildings 2016 to 2021.
“Today we answered the question ‘what would happen if we connected a vast number of cheap, crummy embedded devices to broadband networks?'” wrote Matthew Green, an assistant professor at the Johns Hopkins Information Security Institute, after the recent attack.
While not all IoT devices are “cheap” and “crummy”, Green does make an interesting point about the vulnerabilities that such devices can create for much larger systems. With billions of such embedded devices already deployed, is it already too late to save ourselves from an era of frequent major cyber-attacks?
Not necessarily and technology does exist that can protect against this kind of massive coordinated DDoS attack. For example, the IoT platform developed by IoTium, has end-to-end security actually “baked” into the service. It also includes an inbuilt firewall to create a secure perimeter. The assets “are never visible on the internet. This also eliminates any backdoor threats that originate at the end point to attack other assets (both operational and IT) in a corporate network.”
Other firms offer similar technology and the recent attacks will no doubt spur a variety of new solutions to deal with these types of cyber security threats. In turn, hackers, cyber-attack-for-cash services, and even malevolent government agencies, will find new, innovative ways to circumvent security protocols in order to attack their online targets. Future attacks, perhaps unfortunately, will likely use the ammunition provided by the IoT.
“This attack has opened up an important conversation about internet security and volatility. Not only has it highlighted vulnerabilities in the security of Internet of Things devices that need to be addressed, but it has also sparked further dialogue in the internet infrastructure community about the future of the internet”, Dyn’s statement concluded. We whole-heartedly agree.