The more we learn about the cyberattack that brought down much of the Internet in the United States last Friday, the more appalling it becomes.
Landing in three waves, the attack temporarily crippled parts of Dynamic Network Services, better known as Dyn, which connects some of the largest Web-based companies with their customers. As a result, internet users were blocked or delayed when trying to use such popular online services as Netflix, eBay, Twitter and PayPal.
Investigators could tell right away that the attack was the work of a botnet — an army of far-flung devices surreptitiously commandeered by hackers and directed to do mischief. In this case, Internet-connected digital video recorders, security cameras, printers and routers were instructed to overwhelm Dyn with data packets requesting information. The volume was so great, Dyn’s servers weren’t able to handle the legitimate requests from Internet users trying to reach Dyn’s customers.
The latest revelation is that the attackers may not have meant to cause the virtual havoc they wrought. Instead, according to researchers at the cyber-security firm Flashpoint, the target appears to have been a single Dyn customer, Sony’s PlayStation Network. But the way they chose to do it was to gum up a core Dyn service that many of its customers relied on.
More alarming is that much of the internet was brought to its knees by attackers, or even a single person, using malware whose source code is available to any enterprising hacker. Called Mirai, it scans the internet for devices that it can infect — according to security researcher Brian Krebs, that would include those with user names and passwords that were set by the manufacturer and left unchanged by the purchaser. It then loads software that enables the device to be controlled remotely, although only for limited purposes. The primary use: joining a global swarm of infected devices to flood a site with data packets.
What makes Mirai especially dangerous is the enormous number of internet-connected devices that it can infect. Dyn says that last week’s assault came from more than 10 million separate devices online, which researchers say probably makes it the largest botnet attack ever. And according to Krebs, many of these devices have factory-set passwords that users could not change even if they wanted to. That makes them that much more vulnerable to being hijacked.
The Dyn attack showed an alarming level of vulnerability in the internet. And the cause wasn’t lax security at Dyn or the companies that used Dyn’s services. It was poorly designed devices bought by millions of people who became the attackers’ unwitting accomplices.
n a recent letter to federal regulators, U.S. Sen. Mark Warner noted that a fundamental problem is that “there is no requirement that devices incorporate even minimal levels of security.”
Warner has suggested several ways that the government could press manufacturers, internet service providers and retailers to reduce the proliferation of problematic devices. And manufacturers certainly need to recognize that they shouldn’t be selling internet-connected devices that can’t be updated to plug the security holes that hackers will inevitably find.
But as the Dyn attack clearly showed, vulnerabilities aren’t just the manufacturers’ fault. People who attach smart devices to the internet without changing the default user name and password are just setting those products up to be part of a botnet.
If consumers demand more secure products, device makers will produce them.
Device manufacturers may need to sacrifice some convenience by forcing their customers to change each new device’s user name and password as soon as they connect it to the internet. And ultimately, they may need to follow the lead of computer software companies and push updates automatically to their connected devices, rather than relying on their customers to install patches dutifully. At the very least, though, they need to make sure that their products can be updated. Policymakers and industry leaders should push device makers to take that step while the memory of the Dyn attack is still fresh.
This is an edited version of an editorial originally published in the Los Angeles Times.