Criminals this morning massively attacked Dyn, a company that provides core Internet services for Twitter, SoundCloud, Spotify, Reddit and a host of other sites, causing outages and slowness for many of Dyn’s customers.
It’s incredible — and more than a little irresponsible — that we’ve taken something as decentralized as the web and made it largely dependent upon a handful of popular providers.
Krebs, on the cause of today’s attacks:
According to researchers at security firm Flashpoint, today’s attack was launched at least in part by a Mirai-based botnet. Allison Nixon, director of research at Flashpoint, said the botnet used in today’s ongoing attack is built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products.
“It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said, noting that Flashpoint hasn’t ruled out the possibility of multiple botnets being involved in the attack on Dyn.
Bruce Schneier just two weeks ago for Vice:
What this all means is that the IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.
Of course, this would only be a domestic solution to an international problem. The internet is global, and attackers can just as easily build a botnet out of IoT devices from Asia as from the United States. Long term, we need to build an internet that is resilient against attacks like this. But that’s a long time coming. In the meantime, you can expect more attacks that leverage insecure IoT devices.
Be sure to read Krebs’ article on the cause of today’s attack. In it, he notes that many of the devices used in the attack are vulnerable to a ridiculously obvious flaw: a hardcoded root password for Telnet and SSH. Any security researcher worth their salt would find this problem in a heartbeat, but it’s up to the manufacturers of these devices to do their due diligence in getting them tested. Perhaps a rudimental penetration test should be part of the certification process by consumer protection agencies.