After massive cyberattack, shoddy smart device security comes back to haunt

Almost everyone affected by the cyberattack had a part to play — from shipping shoddy devices to a consumer apathy towards security.
Written by Zack Whittaker, Contributor

Friday morning saw the largest internet blackout in US history. Almost every corner of the web was affected in some way -- streaming services like Spotify, social sites like Twitter and Reddit, and news sites like Wired and Vox appeared offline to vast swathes of the eastern seaboard.

After suffering three separate distributed denial-of-service (DDoS) attacks, Dyn, the domain name system provider for hundreds of major websites, recovered and the web started to spring back to life.

The flooding attack was designed to overload systems and prevent people from accessing the sites they want on a scale never seen before this.

All signs point to a massive botnet utilizing the Internet of Things, powered by malware known as Mirai, which allows the botnet's operator to turn a large number of internet-connected devices -- surveillance cameras, smart home devices, and even baby monitors -- against a single target.

In this case, it was Dyn's servers.

"We're seeing attacks coming from an Internet of Things botnet that we identified called Mirai, also involved in this attack," said Dale Drew, chief security officer at Level 3, in a live stream on Friday, during a time where information about the attack was still scarce.

Dyn later said Saturday in a blog post that the attack was "highly distributed" and involved "tens of millions of IP addresses."

"The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations," the statement read. The company also confirmed that the use of Mirai was only part of the wider attack.

Chester Wisniewski, principal research scientist at security firm Sophos, said that this demonstrates "incredible power wielded by just one type of device," and argued that harnessing the power of tens of millions of insecure smart devices "could cause incredible disruptions."


(Image: Matt Blaze/Twitter)

What sets the Mirai botnet apart is that the malware doesn't require much hacking power. It scans for devices that cycles through the default username and password credentials that devices ship with, rather than any extensive vulnerability exploitation. Security researchers have called the code "amateurish," despite arguably being better than "most" other malware hitting smart devices.

Dyn is expected to give a more detailed update early next week.

Given that all signs (though yet to be fully confirmed) point to what, the big questions to ask next are who was behind the attack, and why?


(Image: Jaime Blasco/Twitter)

Surprise! Nobody knows. And we're not going to find out much any time soon, says security expert Bruce Schneier.

Because the Mirai code is open source, anyone can theoretically leverage the botnet's power. That makes attribution even tougher when you're trying to pin the blame -- anyone from a lone hacker to a nation state could be behind the attack.

"Since this release, copycat hackers have used the malware to create botnets of their own in order to launch DDoS attacks," said security firm Flashpoint said in a blog post.

Flashpoint and others have said that while Mirai was almost certainly involved, it likely wasn't fully responsible for the attack. The attacks on Dyn were "separate and distinct botnets" from similar attacks carried out with the Mirai botnet, such as the attacks on security reporter Brian Krebs' website and against French cloud company OVH.

Schneier, however, warned weeks ago of the threat faced from witnessing significantly larger flooding attacks in the past few months.

"Who would do this? It doesn't seem like something an activist, criminal, or researcher would do," he said in a blog post. "It's not normal for companies to do that. Furthermore, the size and scale of these probes--and especially their persistence -- points to state actors.

US authorities confirmed to sister-site CBS News that they were investigating the attack, but didn't comment further.

As of Saturday morning, things have settled down. Dyn had no further update on its status page as of the time of writing.

Almost everyone affected by the cyberattacks have some part to blame in Friday's cyberattacks. The tech companies for shipping devices with default passwords. The buyers who don't change the passwords. The companies like Dyn that manage network infrastructure who couldn't repel an attack of this size, and even the websites that suffered as a result of the Dyn attack have their own uptime lessons to learn from the outage.

For the fact that an attack on this scale could happen isn't a surprise in itself. Security researchers and hackers alike have warned that the Internet of Things poses a considerable headache because nobody is putting of security first.

Where we'd normally blame the weakest link, it seems the entire security chain is busted.

Updated on October 23: with additional commentary from Dyn.

Editorial standards