In mid-September, the website of Brian Krebs, a leading cybersecurity reporter, went down under the weight of the biggest distributed denial-of-service (DDoS) attack in history. Akamai, a company that provides backend services and infrastructure for many websites, including Krebs’s, said that it was twice as big as any attack it had previously seen.
Making matters worse, at the end of the month, someone published the source code of the malware used to power the DDoS attack. Called Mirai, the software was designed to scour the internet for vulnerable devices that it can then highjack. Once a hacker has gained control of thousands or even millions of devices this way, he can use Mirai to bombard websites with phony traffic, overwhelming their networks. And just like that, this tool was available to practically anyone.
It wouldn’t be long before someone used Mirai to take down not one journalist or company but a critical piece of internet infrastructure. That’s precisely what happened on Friday. Someone used the Mirai malware to create a massive botnet to target Dyn, a provider of DNS services. The Domain Name System is often called the internet’s switchboard. Essentially, it connects a website to the numbered IP address that represents it, so when you type newrepublic.com into your browser’s address bar, the browser consults a DNS server and then connects you to its associated IP address (for TNR it’s 220.127.116.11). But when Dyn’s systems were flooded with traffic, they couldn’t serve up DNS requests. As a result, some of the world’s biggest websites—Twitter, Netflix, Airbnb, Reddit—became inaccessible to millions of internet users. Maps of the outage showed vast blooms of red in the upper Midwest, the Northeast, Texas, Washington, and California, reflecting the areas that had been hit hardest.
Mirai isn’t the first malware of its kind—some cyber-criminals offer rentable botnets and other forms of “DDoS-as-a-service”—but it’s become the most visible example of the growing insecurity of the Internet of Things (often referred to by its acronym IoT). Once hailed as the next frontier in technological development, the IoT was supposed to empower consumers by connecting more “smart” devices to the internet, making it so that various home appliances could talk to one another. But some commentators have long questioned both the utility and the security of IoT devices. Just because we can connect a toaster or a fridge to the internet doesn’t mean we should—a fact that becomes all too clear when shoddy security leads to your fridge being press-ganged into a million-strong botnet. (Many consumers will never even know that their devices are compromised. Earlier this year, The New York Times ran a story about the owners of a Wisconsin welding shop who were baffled to discover that Chinese hackers had commandeered their computer, using it as a command-and-control server from which to launch cyber-attacks.)
The problem lies less with consumers than with device manufacturers who have either not considered security or simply see it as an expensive inconvenience. Many IoT devices ship with widely used default passwords, with no password protection, or are easily hackable; with some, users have no ability to change the password at all. The search engine Shodan can be used to trawl the internet for unsecured connected devices, from thermostats to printers to baby monitors. Simple apps like Live Camera Viewer, made for Android, provide feeds from unsecured surveillance cameras, offering an eerie, voyeuristic look into Russian hotels, Spanish restaurants, and German streetscapes, along with the requisite feeds of animals at play in aquariums and zoo exhibits. Because manufacturers rarely, if ever, update the firmware on their IoT devices—some have no way to push out security updates en masse—vulnerable devices like these are unlikely to ever be fixed.
Mirai looks for 68 different default username/password combinations that are used in a range of IoT products. Some of these gadgets are generically produced in huge quantities in Chinese factories and then resold under various brand names. Friday’s attack employed hijacked devices made by Dahua, but the bulk of the botnet appeared to be composed of DVRs and surveillance cameras produced by XiongMai Technologies, which is based in Hangzhou. As Allison Nixon, director of Flashpoint, a cybersecurity firm, told Krebs, “It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States.” The attack against Dyn used tens of millions of IP addresses, according to a company statement (though the actual number of compromised devices may only be in the hundreds of thousands).
Many of these devices had the user name “root” and the password “xc3511.” While some of these devices aren’t accessible through the web, many of them can be accessed through Telnet, a communications protocol that allows someone to submit commands through a simple text interface. This capability would be unknown to most consumers, but for anyone with even a minimum of coding knowledge, it’s easy to do.
For many in the cybersecurity community, Friday’s attack was a watershed moment — “a new era of internet attacks powered by everyday devices,” as the Times put it. “The game has changed,” Lewis Shepherd, a technology consultant, wrote on his website. “The tidal wave is well upon us and won’t be technically turned back in large part.” The technical challenge, as Shepherd and many others have noted, is that there’s little way to secure already compromised devices. The only solution, it seems, is to disconnect the millions of vulnerable devices from the internet. Many consumers lack even a basic awareness of how vulnerable their gadgets are; unbeknownst to them, their webcam or thermostat might be used to gain access to their home network and their personal information. Some commentators have suggested that hopelessly broken devices should simply be “bricked,” made unusable in order to protect the security of the larger internet. All seem to agree that IoT manufacturers must do a better job of securing their products going forward, but that’s unlikely to happen without government regulation, product recalls, new industry standards, class-action lawsuits, and other forms of pushback.
With the issues of foreign hacking and election-meddling in the air, some fear that Mirai could be used to disrupt electronic voting machines next month. But the danger is greater than that and will endure far past November 8. Massive cyber-attacks and internet service disruption used to be only the province of nation-states. Now criminal gangs and individual hackers (not to mention anyone who feels like downloading and tinkering with the Mirai source code) have many of the same capabilities.
Aided by a flood of cheap sensors and cut-rate connected devices, the tech industry has networked the world faster than it can secure it. Consumer education would help, but it’s only the last step in what should be an ambitious, wide-ranging effort. First, tech companies must take responsibility for the growing cyber-security crisis and dedicate themselves to fixing the problems they’ve created. The U.S. intelligence community, which has prioritized the stockpiling of so-called “zero day” vulnerabilities over the securing of the country’s technological infrastructure, also must be called to account. Having dozens of net-connected devices in every home and office is catnip to intelligence officials like Director of National Intelligence James Clapper, who has spoken of the IoT as an important new avenue for intelligence work and spying. But the risks were made all too apparent on Friday, and the next time that a major piece of internet infrastructure fails, it may not be so easy to put it back together again.