Last weekend, the United States witnessed a massive Internet attack, which caused significant problems to users as prominent Sites such as Twitter[1], Amazon[2], Spotify[3], Netflix[4], Reddit[5] and Tumblr[6] were unreachable for several hours. This was caused due to problems in infrastructure established and operated by Dyn[7], a global infrastructure and operations provider, which serves prominent Internet Sites including the above-listed ones.
According to experts quoted in news reports[8] Dyn’s infrastructure was hacked by cyber-criminals who managed to run a Distributed Denial of Service (DDoS) attack against it. Several Sites reported that the attackers managed to build a botnet to attack Dyn.
Image from Open Clip Art via
Neither DDoS, nor botnets are new concepts. Specifically, the goal of DDoS attacks is to render IT infrastructure unavailable to users. One way to achieve this is to overload the infrastructure under attack with phony requests sent by numerous computing devices that are typically distributed all around the globe, thus making it very difficult to locate the attack source.
DDoS attacks have been around for almost two decades, since the notorious attacks against Yahoo, Amazon and other major Sites in year 2000. In recent years, they have also been linked to “ransomware” attacks, where hackers demand ransom to give back operating rights to users.
Last week’s incident reveals that DDoS attacks are still here and ever increasing in number and severity. Botnets are also related to DDoS, since they refer to cases where groups of remotely controlled (hijacked) computers are used to launch attacks to IT infrastructures, like Dyn’s. One of the most famous botnet attacks back in 2013 was the so-called “Ramnit”, which impacted millions of computing systems.
However, what is really new in the case of the attack against Dyn is the fact that IoT devices have been hacked in order to enable the launch of DDoS and the formulation of the botnet.
Specifically, Internet of Things (IoT) devices such as Internet connected CCTV (Closed Circuit Television) cameras and DVR (Digital Video Recorders) were hijacked by cyber-criminals as part of the attack. According to security firms and the post-analysis of the cyber-security incident, the recently developed “Mirai” malware was deployed on the IoT devices and then used to attack nodes of the Dyn’s infrastructure. This was one of the first instances when IoT devices were directly involved in the launch of a cyber-security attack against major Internet Sites, which marked a milestone in the security of IoT devices.
This attack also drove home the point that IoT devices are Internet connected pervasive computers that can launch DDoS attacks, much is the same way laptops, desktop computers and servers can do. This “milestone”, naturally raises important concerns about the vulnerabilities of IoT devices and related infrastructure. It actually brings in the foreground the security weaknesses of IoT devices, which make them easy prey.
Let’s briefly explore the sources of these weaknesses
First of all, it’s their passwords and authentication mechanisms. IoT devices are usually protected by a conventional password mechanism, which does not provide strong security, especially considering that in most cases users’ maintain “default” (or easy to guess) passwords that can be easily hacked.
There are also cases of devices, whose passwords are hardcoded in the firmware and cannot be easily changed through a usual Web interface. By hacking the password, cyber-criminals are able to compromise the device, making it part of some botnet. Note also that in most cases, hackers have some means of accessing the IoT device, using the conventional command-line ‘Telnet’ and ‘SSH’ (Secure SHell) programs, which act as the attacker’s gateway to the devices.
Second, some IoT devices are poorly patched, i.e. they do not deploy the latest security patches, which makes them vulnerable to attacks. As a simple example, you can consider devices running old versions of an operating system.
Third, several IoT devices exchange unencrypted data, which facilitates sniffing and stealing even the non-default passwords. Last but not least, IoT infrastructure operators have to cope with the security vulnerabilities of WiFi networks, which carry most of IoT traffic worldwide. One may indeed argue that latest editions of the WiFi protocols provide much stronger security that the early WEP (Wired Equivalent Privacy) mechanisms. That’s true without a shadow of a doubt, but not all WiFi infrastructures deploy the most advanced mechanisms.
Last week’s attack caused some annoyance to Internet users and had some financial implications. However, in the scope of other emerging IoT applications such as self-driving cars and healthcare applications the consequences of an IoT-related security attack can be life-threatening. As IoT infrastructure and technologies expand rapidly, security mechanisms should also keep up. Moreover, IoT security should be fully embraced by security policies, as security is not only a matter of technology, but also of people and processes as well. It might sound strange that in the future we will have to take care of the IT security of our cars, wearables and refrigerators, but that’s part of the price we have to pay in order to leverage the fantastic benefits of the IoT.
[1] www.twitter.com
[2] www.amazon.com
[3] www.spotify.com
[4] www.netflix.com
[5] www.reddit.com
[6] www.tumblr.com
[7] dyn.com
[8] https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/
John Soldatos is an Internet of Things, Cloud Computing, JavaEE consultant, writer and published author.
All information/views/opinions expressed in this article are that of the author. This Website may or may not agree with the same.