Someone clever seriously disrupted the Internet’s marquee web properties recently. The attacker launched several waves of nuisance traffic against domain name provider, Dyn, clogging up Dyn’s systems and causing it to crash.
This is what’s known as a distributed denial-of-service (DDoS) attack. And since Dyn routes traffic to Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit and PayPal, those popular websites were off line for most of Friday, Oct. 21st, frustrating millions.
DDoS attacks are nothing new, of course. They happen on a daily basis, and companies and government agencies spend hundreds of millions of dollars a year to defend against them. However, this was a milestone attack with a number of profound ramifications:
Dyn was inundated by a record 1.2 terabytes per second of nuisance signals, twice the volume of any previously monitored DDoS attack. This unprecedented scale was achievable because the attacker successfully weaponized everyday Internet of Things (IoT) devices, namely web cams, digital video recorders and routers, to carry out the campaign.
If you’re sensing a monstrous new cyber exposure has arrived, you’re correct. This attacker managed to instruct hundreds of thousands of compromised IoT devices to swamp Dyn, thus establishing a powerful new means to extend and escalate DDoS attacks.
Researchers from Level 3 Communications’ Threat Research Labs and security vendor Flashpoint first identified a new family of malicious software proactively targeting IoT devices about a year ago. Hackers don’t have to do much to take advantage of the simple, loosely-protected operating systems commonly used in such devices.
One prominent functionality of this malware is that it self-replicates; it continually seeks out and infects other IoT devices, turning control of each compromised device over to the hacker. “Two of the top three devices being infected are IP cameras and DVRs, devices commonly used in the home,” says Level 3 Chief Security Officer Dale Drew.
Disrupting banks and gamers
A couple of hacking rings — Lizard Squad and PoodleCorp — have been in the vanguard of IoT-powered DDoS attacks. Security firm Arbor Networks, for instance, has monitored Lizard Squad launching such assaults against two large Brazilian banks, two Brazilian government agencies and three large U.S. gaming companies. And PoodleCorp has used IoT botnets to disrupt Pokemon Go, PlayStation, Electronic Arts (EA), Grand Theft Auto,Blizzard and League of Legends.
Back to the DDoS attack against Dyn: the attacker probably did not intend to shut down Twitter and Spotify on Oct. 21st. Criminal hackers at this level prefer flying under the radar. The tech giants, in fact, appear to be collateral damage. According to security technologist Bruce Schneier, the Dyn attack most likely was the work of hackers upset with Dyn for helping blogger Brian Krebs identify two Israeli hackers running a DDoS for hire operation, which led to their arrest by the FBI. So that huge attack was revenge motivated.
What to expect
John Wu, CEO of security startup Gryphon, notes that the malware family fueling the Dyn attack is still out in the Internet wild, almost certainly continuing to self-replicate. “We don’t know exactly how many devices are still out there as sleeper bots,” Wu says. “The next attack may not be as public, since they’ve already shown what the botnet network is capable of.”
Cue the ominous soundtrack from Jaws. We can fully expect a steady advancement of IoT devices getting compromised in 2017. Hackers from here on out will assemble IoT botnets at scale and direct them to pursue all manner criminal pursuits against consumers and companies.
There is hope
A cross section of experts working under the auspices of the National Institute of Standards and Technology has spent two years hammering out a framework for establishing an appropriate level of IoT security. The final version of NIST Special Publication 800-160 was released Nov. 14.
Now the heavy lifting begins. While The NIST standards are voluntary, it is imperative that IoT device manufacturers, Internet services companies and infrastructure providers embrace them. They are a crucial first step in securing rapidly emerging IoT systems. In the meantime, consumers and businesses should fully expect hackers with malicious intent to accelerate their efforts to exploit the intrinsic security shortcomings of the Internet of Things.