It seems like a fine idea to have a computer in your refrigerator, be able to control your thermostat with your smartphone, and sync your DVR with your laptop. The problem is that the security for these everyday devices seems to be total junk, something that has been a topic of interest over at Boing Boing for a while now and has now reportedly hit the main headlines thanks to Friday’s major internet outage.
Many fingers have been pointed and some groups like Wikileaks are taking a bit of responsibility, claiming their supporters are behind the DDoS attacks that plagued Dyn throughout the day on Friday. Our initial post gave a run down on how this was achieved, essentially giving a crash course on how the DDoS attack was able to achieve so much:
If you’re not up on your acronyms, DNS is short for domain name system: Think of it like the contacts list of the internet, a way to get crucial information your computer needs to load a website. A distributed denial of service attack is essentially hosing a website with so much spam that it can’t keep up. This attack is making it impossible for Dyn to do its job, making it impossible for your computer to access sites because the data to do so simply isn’t there.
And now, according to multiple sources, the main culprit seems to have been the Mirai malware/trojan that takes advantage of any of those everyday items with a basic connection to the internet. The “Internet of Things” made it possible for someone to initiate the massive attack that seemed to bring the internet to a standstill on Friday, supported by the security group Flashpoint and security expert Brian Krebbs:
The size of these DDoS attacks has increased so much lately thanks largely to the broad availability of tools for compromising and leveraging the collective firepower of so-called Internet of Things devices — poorly secured Internet-based security cameras, digital video recorders (DVRs) and Internet routers. Last month, a hacker by the name of Anna_Senpai released the source code for Mirai, a crime machine that enslaves IoT devices for use in large DDoS attacks. The 620 Gbps attack that hit my site last month was launched by a botnet built on Mirai, for example.
As Cory Doctorow points out over at BoingBoing, the 620 Gbps figure is something one could expect from a “state actor,” but is made possible by the flimsy security behind the IoT devices that have been infected by the malware to form the Mirai botnet, supported by a report in the New York Times:
Level 3 CSO Dale Drew says that the attack only used “about 10 percent” of the half-million Mirai nodes available (a number that continues to grow). These devices are not designed to be easily updated in the field, meaning that even if security in future versions of IoT products is improved, the existing dumpster fire of the installed base of Internet of Sh*t devices will continue to rage, finding and infecting every last Mirai-vulnerable device and recruiting it into a virtually unkillable source of attacks on critical infrastructure.
BoingBoing reports that the Krebb’s hack revealed the “clumsy, amateurish” nature behind the code that was used, showing that essentially anybody with knowledge of how to access these IoT devices and the ability to create their own malware using the exisiting tools could mount an attack online. If it wasn’t Russia or China behind Friday’s attack on Dyn, the possibilities are far more frightening and far more serious than just not being able to Tweet.
Worse yet is the idea that all of this is just a ploy to test defenses for an alleged “internet killer,” as security expert Bruce Schneier explains in a recent blog post. It could just be a small group or collective behind it all or it could be something far bigger:
Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they’re used to seeing. They last longer. They’re more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.
The attacks are also configured in such a way as to see what the company’s total defenses are. There are many different ways to launch a DDoS attack. The more attack vectors you employ simultaneously, the more different defenses the defender has to counter with. These companies are seeing more attacks using three or four different vectors. This means that the companies have to use everything they’ve got to defend themselves. They can’t hold anything back. They’re forced to demonstrate their defense capabilities for the attacker.
Who would do this? It doesn’t seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It’s not normal for companies to do that. Furthermore, the size and scale of these probes — and especially their persistence — points to state actors. It feels like a nation’s military cybercommand trying to calibrate its weaponry in the case of cyberwar. It reminds me of the US’s Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.
It all seems like a joke or something you’d read on a conspiracy site, but it is very real with the recent DNC hack and other high-profile events we’ve seen in past years. According to The New York Times, this is precisely the kind of thing that worries those tabulating votes in the upcoming election:
Thirty-one states and the District of Columbia allow internet voting for overseas military and civilians. Alaska allows any Alaskan citizen to do so. Barbara Simons, the co-author of the book “Broken Ballots: Will Your Vote Count?” and a member of the board of advisers to the Election Assistance Commission, the federal body that oversees voting technology standards, said she had been losing sleep over just this prospect.
“A DDoS attack could certainly impact these votes and make a big difference in swing states,” Dr. Simons said on Friday. “This is a strong argument for why we should not allow voters to send their voted ballots over the internet.”
Who is behind Friday’s attack and the flood of speculation surrounding an “internet killer” is still up in the air. What is clear is that the security of our devices that are connected to the internet is paper thin and should be looked at in the same manner that we look at any other form of security. If someone is able to bring the internet to a basic halt thanks to a small bit of code written and utilized thanks to a cheap DVR box or fridge, that’s a problem. Worse yet, the solution doesn’t seem to be an easy fix and the spread of the botnet is only going to grow.
(Via Boing Boing / The Washington Post / The New York Times / Krebs On Security)