Is your DVR a double-agent?
It isn’t an idle question. An event that was largely ignored by the general public in the wild final weeks of the election campaign raises some scary questions about the security of the internet.
On October 20, a little-known New Hampshire-based company called Dyn Corp. suffered a devastating hack attack. You may never have heard of Dyn, but you’ve certainly heard of the companies knocked offline or otherwise affected by the assault: Twitter, Netflix, eBay, Apple’s App Store, Reddit, Spotify, The New York Times and many others.
Internet malware attacks happen all the time. What makes this one noteworthy is its source: millions of unsecured or loosely secured internet-connected devices, such as routers and surveillance cameras, cobbled into an attacking force—what security experts call a “botnet”—right under the noses of their unsuspecting owners. And if those experts are right, we may see a lot more of this kind of thing in the future.
The number of smart devices—the so-called “Internet of Things”—is exploding. Research firm Gartner estimates that 6.4 billion such gadgets are now in use, up 30 percent from a year ago, and it sees the number skyrocketing to nearly 21 billion by the year 2020.
Most of them are consumer products: TVs, DVRs, webcams, thermostats, refrigerators, washing machines, even garage-door openers. Almost all of them are designed much more with ease of use in mind than security. And most consumers have no clue about the vulnerabilities they’re creating.
This isn’t a problem consumers are likely to be able to solve on their own.
“People install these things, they set them, they connect them to their router, they don’t change the password,” Travis Farral, director of security strategy at international cybersecurity firm Anomali, told me last week on NBC-TV’s Press:Here. “The botnet takes advantage of that and basically just grabs that device, logs in, installs some software and allows it to communicate to the Net.”
That appears to be what happened in the Dyn attack.
Dyn and companies like it perform a critical behind-the-scenes role on the Internet, converting the familiar website addresses we tap or click on—like www.observer.com—into the numerical addresses of the servers we’re trying to reach. Paralyze these domain name services, and you can render the sites that use them effectively unreachable.
In the hack attack—known in the trade as DDoS, or Distributed Denial of Service—Dyn’s servers were suddenly flooded with phony lookup requests generated by the army of enslaved net-connected devices. The attacks came in waves, starting early in the morning on the East Coast and eventually slowing or freezing many of the biggest names on the Net.
Normal service was restored by the end of the day, and the FBI and Department of Homeland Security have launched investigations. Little is known so far about the attackers or their motives, but they apparently made use of malware called Mirai, whose source code was recently posted online. And they specifically targeted devices using components made by China’s Hangzhou Xiongmai Technology that are used in many surveillance cameras and DVRs.
“Mirai is a huge disaster for the Internet of Things,” the company told IDG News Service. It recalled some devices and urged customers to change the weak default passwords it shipped others with, and update them with new firmware to patch other flaws.
And therein lies the problem. How many of the people reading these words have WiFi routers with passwords like ABCD1234, because that was the password shipped with the router? How many consumers are even aware that their router has a password that might be different from their network password?
In the wake of the Dyn attack, Consumer Reports published a number of suggestions for consumers looking to protect their home networks and devices. Besides locating and changing the router’s password, CR recommends going into its settings to disable Telnet remote management and Universal Plug-and-Play, networking protocols it says are too easy for hackers to exploit.
Ultimately, though, this isn’t a problem consumers are likely to be able to solve on their own. The only real answer is for manufacturers to make strong security a central feature of every Internet of Things device, from routers to refrigerators and DVRs to doorbells. Otherwise, the attack on Dyn is just the precursor to what we can expect as the number of IoT devices triples in the next four years.
Are you afraid? If not, you should be.
Rich Jaroslovsky is an Observer technology columnist and vice president of SmartNews Inc. Reach him at [email protected] or @RichJaro on Twitter.