On Friday, a series of massive distributed denial of service attacks disrupted access to major internet services including GitHub, Twitter, Spotify, and Netflix.
The attackers apparently used tens of thousands of hacked internet of things devices—household appliances such as digital video recorders, security cameras, and internet routers—to generate a massive amount of digital traffic. That digital noise was sent to Dyn, a domain name service provider used by major online companies, disrupting its ability to translate human-readable internet addresses into the IP addresses networks use to route traffic.
The attack came after years of warnings from security experts that the makers of many internet-enabled devices paid too little attention to security, shipping internet-connected hardware with preset passwords, insecure default connections, and other vulnerabilities.
“It is just a matter of time until attackers find a way to profit from attacking IoT devices,” a report from security firm Symantec warned last year. “This may lead to connected toasters that mine cryptocurrencies or smart TVs that are held ransom by malware. Unfortunately, the current state of IoT security does not make it difficult for attackers to compromise these devices once they see the benefit of doing so.”
Hackers and security researchers have previously exploited vulnerabilities to get access to devices like baby monitors and webcams. Researchers from security company Pen Test Partners even demonstrated earlier this year how hackers could install ransomware on an internet-connected thermostat, leaving victims sweltering or shivering until a ransom is paid.
And in Friday’s attack, compromised IoT devices were coordinated as part of a botnet—a network of hacked machines essentially turned into remote-controlled robots by malware—dubbed Mirai. Between 500,000 and 550,000 hacked devices around the world are now part of the Mirai botnet, and about 10% of those were involved in Friday’s attack, said Level 3 Communications chief security officer Dale Drew on the internet backbone provider’s Periscope channel Friday.
“With a rapidly increasing market for these devices and little attention being paid to security, the threat from these botnets is growing,” according to a blog post published by Level 3 just days before the attack.
Mirai-controlled devices were also key components in a September denial of service attack on Krebs on Security, the high-profile blog by security journalist Brian Krebs that’s both required reading for many in the industry and a juicy target for the hacking groups Krebs covers. At the time, Krebs reported that the attack was the largest ever seen by content distribution network provider Akamai, nearly twice the size of the existing record holder.
Devices compromised by Mirai have been detected in at least 164 countries, researchers from security firm Imperva reported earlier this month, with the bot programmed essentially to scan wide swaths of the internet looking for more devices with default or easily predictable passwords that it can infect. It’s still not known who created the initial Mirai malware, although the source code powering the botnet was released by a hacker using the name Anna_Senpai earlier this month.
It’s also unclear whether the botnet’s initial creators are directly behind the attack on Dyn or whether they’re effectively selling access to the attackers.
“The person who’s buying time on that bonnet could be buying time on quite a few other botnets as well,” Drew said on the Level3 Periscope channel. The Department of Homeland Security and Federal Bureau of Investigation have said they’re investigating Friday’s attack.
Security experts advise users of IoT devices to take simple steps like changing default passwords and installing any security updates that manufacturers provide, but it can be difficult to make many such devices fully secure against a determined hacker. Some manufactures don’t provide updates at all, and some only provide them through an insecure online channel, letting hackers effectively generate their own malicious updates, according to last year’s Symantec report.
“Unfortunately, it is difficult for a user to secure their IoT devices themselves, as most devices do not provide a secure mode of operation,” says the report, which also urges manufacturers to implement basic security measures on their connected products.
Requiring users to set their own secure passwords when setting up the devices, and disabling unneeded avenues for remote control, would help keep hackers out, according to Level 3’s Mirai report.
Users can often also configure the devices to disable remote login to the devices and use free tools to make sure those connections are actually disabled, says Imperva.
“With over a quarter billion CCTV cameras around the world alone, as well as the continued growth of other IoT devices, basic security practices like these should become the new norm,” says the company. “Make no mistake; Mirai is neither the first nor the last malware to take advantage of lackluster security practices.”