On Friday, a series of massive distributed denial of service (DDoS) attacks caused internet outages across much of the US, and also in parts of Europe. The epicenter was Dyn, an Internet performance management company that provides Internet services to some of the web’s most-visited sites. In three separate attack waves on Friday, tens of millions of IP addresses pelted Dyn with junk packets, resulting in Internet access outages at such popular destinations as Amazon, Netflix, Reddit, Spotify, and Twitter.
The culprit? My DVR box. Or maybe yours.
DDoS attacks, in which the bad guys bombard networks or systems with an overwhelming volume of requests from multiple hijacked sources, thereby degrading or interrupting service, have been around for quite a while. What makes Friday’s event ominous is that the hijacked sources were apparently not simply the usual bot army of compromised computers. Instead, this time the DDoS sources reportedly included large numbers of hacked Internet-connected devices, including video cameras and digital video recorders. For details on this evolving story, see Krebs on Security. Basically, it appears in the reporting that Internet of Things (IoT) consumer devices with factory-default usernames and weak passwords were likely hacked on a huge scale and enlisted in Friday’s attacks.
So … maybe it was my DVR. We take it for granted, basically ignoring it so long as our shows are there. Perhaps it’s feeling resentful, and has gone over to the dark side, nefariously joining millions of other unappreciated devices – who knows. But the notion that I, or any other average consumer, will think about or act upon the security settings of our household IoT devices is ridiculous.
And cyber vulnerabilities of IoT devices are nothing new. Simply rewind to the FTC’s 2014 enforcement action against TRENDnet, which marketed its internet-connected SecurView cameras for everything from home security to baby monitoring. Only problem – the cameras’ software allowed online viewing by anyone with a camera’s IP address. Seriously creepy.
The Internet of Things is the next wave of the digital revolution. Friday’s attacks remind us that manufacturers of IoT devices, and frankly any company investing in an IoT strategy, must take device security seriously. Otherwise, next time it may be an army of zombie refrigerators that does us in.