other bad actors with different purposes in mind. These might be activists with a cause, terrorists, criminals seeking a ransom for a victim’s data, or just young hackers who want to show off, says security intelligence company Flashpoint in a review of the Dyn attack.
After an attack, a compromised device may go back to functioning innocently and well. But like the secretly brainwashed Manchurian Candidate of fiction, it can be triggered to act malignantly at another time by a signal from an outside agent who owns or rents the criminal’s robotic army.
Even if the hackers don’t tell your device to stop sending out messages at some point, that doesn’t necessarily mean your device will endlessly continue to pump out rogue data packets and become useless.
“Typically, it will forget the instructions when it’s powered down, so a reboot would fix it,” Risley says.
But the bad news is, once the attackers know the device’s username and password, they can easily re-infect it, cybersecurity experts say.
After the attack, the device owner may notice a run-up of data charges incurred for unintentionally sending a flurry of messages on the hackers’ orders. “DDoS traffic will be subtracted from your monthly data usage caps and allowance,” Risley says.
Once compromised for an attack on a target such as Dyn, the device can also be used as an entering wedge to invade the owner’s own network and steal data.
These risks might be compelling enough to motivate many consumers to shut cybercriminals out of their devices. But what can they do? Even users who make the effort to change their default passwords can still leave their devices open to attack.
In addition to a Web Login Protocol, devices may support other points of entry. This was the case for cameras made by XiongMai Technologies, whose webcams are some of the suspected vehicles of the attack on Dyn, Risley says. “In addition to the Web Login Protocol, the cameras supported SSH and Telnet logins so the attackers could try the default passwords for these logins to take control of the device,” he says.
He advises users to search online manuals to find out what ports their devices support, close them off, and also to change their router configurations. (Risley points to this Consumer Reports article for guidance on routers.)
Consumers aren’t the only users who fail to plug every hole in a device’s defenses. Devices owned by companies are also being deployed in DDoS attacks—including security camera DVRs, Risley says. He didn’t have figures on the percentage of company devices used in the Dyn attack. But Risley says an estimated 80 percent of the devices used in a similar attack on security analyst Brian Krebs earlier this month may have been commercial security DVR’s.
This can be a big embarrassment for the companies involved, he says. In addition, telecommunications firms may shut down the Internet connections of companies that seem to be pumping out DDoS traffic. And other businesses may block e-mail messages and other communications from sites that involuntarily generated the cybercriminal’s barrage of messages. On top of those headaches, a company could find itself in trouble with the law.
“Unsophisticated law enforcement often believes that the source of the attack packets is the source of the attack,” Risley says, adding that “it almost never is because hackers don’t like to be caught.” He says, “But just because law enforcement is wrong doesn’t mean they don’t have the power to subpoena your Internet records and the records of your Internet Service provider. Red tape can last years after an incident.”
