Cyberattackers this month brought down Internet access to Twitter, Netflix, Airbnb, the New York Times, and many other companies by hijacking thousands of poorly protected devices and forcing them to overwhelm a key Web traffic hub with a barrage of messages.
You—in the form of your camera, printer, router, or other device—may have been one of the hapless recruits to the cybercriminals’ renegade army. If so, how would you ever find out?
The unwelcome signs, according to cybersecurity expert Chris Risley, include everything from sluggishness in your device’s performance, to mysteriously high data charges on your next smartphone bill, or—worst-case scenario—a federal agent knocking on your company’s door with a subpoena.
Risley, the CEO of Atlanta security company Bastille, is one of the cyber defense experts who have been analyzing an attack on Manchester, NH-based Internet performance management company Dyn, which was the target of a denial-of-service attack Oct. 21 that blocked Web traffic to its customers, such as Twitter.
It took little sophistication to find devices like yours or your neighbor’s that could be made to fire a fusillade of messages to disable Dyn, Risley says, because most owners leave their devices so vulnerable.
“Some devices were merely plugged in by users and allowed to keep their default username and password,” Risley says. A sample default setting might be “admin” and “password” for user name and password, he says. “The attackers merely had their computers try the default credentials on every device they discovered.”
Some unwitting victims may have noticed nothing at all during the attack on Dyn. Or, those in the affected U.S. regions may attribute their camera’s temporary balkiness to the Internet disruption they heard about on the news—unaware that they themselves helped cause the crash. But once their devices have been compromised, they silently stand ready to join in another attack under new orders from the same network of bad guys, Risley says.
Cybercriminals carrying out such attacks are taking advantage of a huge increase in the number of connected devices now inhabiting homes, cars, schools, commuter trains, and offices. This Internet of Things includes everything from smart refrigerators to talking dolls. Device manufacturers have been accused of skimping on security measures to keep the price of these products low. Even when security precautions are offered—such as the option to change default passwords—consumers often lack the time or the know-how to take these steps.
Malicious hackers can scan much of the device population within an hour to muster a global regiment of thousands that will amplify their attacks and mask their role as the originators of the action. This is called a Distributed Denial of Service Attack (DDoS.)
Andrew Mitchell, vice president of engineering at cybersecurity company TrueVault, based in Redwood City, CA, sees the attack on Dyn as an escalation of the DDoS tactic, because the cybercriminals were able to block Web access to many companies, rather than just a single target, by disabling the Dyn infrastructure they all relied on.
Some observers are concerned that this may be a practice run for a broader attack on the Internet for a specific purpose, such as an attempt to interfere with the U.S. election process. No effective routes are yet in place to broadly protect individuals from helping to sabotage their own Internet access, their economy, or their democracy.
“It can be really hard for the average consumer to know if they’re buying a device with good security properties or an easy target for hackers,” Mitchell says. “This is an area where governments and trade groups need to step up. It would be great if there were seals of approval from trade groups verifying that the device meets basic security requirements.”
One line of defense for consumers is to turn their devices off while not in use. A device that is unplugged and has no battery could not be activated to join in a cyberattack, Mitchell says. But “if the device is in a ‘sleep’ mode, where it is still powered on but has suspended normal operation, the attacker may be able to wake it up remotely and use it to begin an attack.” Mitchell is careful to say that he’s drawing on his own technical knowledge, and reports about such attacks, but is not privy to specific forensic data about the attack on Dyn.
Once they’ve taken control of a device, DDoS attackers would probably push it to send out as many messages as possible to maximize the power of their attack, Risley says.
“They will run an instruction on your device that will effectively say: Step One: Send this query to this address xx.xxx.xxx.xxx. Step Two: Repeat Step One,” Risley says.
“This will impact the performance of the device because all of its processing power will be busy in the sending loop,” he says.
The device would seem to freeze, or work very slowly, and it might exhaust its battery. If it overwhelms the Internet connection’s ability to handle the flood of outgoing messages, the user would lose the ability to use software that relies on Web access, Risley says. Risley is the former CEO of cloud-based DDoS mitigation company Defense.net. At Bastille, he leads a security company focused on preventing attacks on devices via wireless and other radio-frequency communications.
DDoS attackers may set a limit on the number of times the device should repeat sending the message to the target. But Risley says they may also include another command telling the device to check back periodically with a server they control. Then the device can be given new orders, “so that every so often the attacker can stop the attack, redirect the attack, or respond to the victim’s evolving defense.”
In this way, cybercriminals have assembled involuntary “standing armies” of devices that they can not only use in their own attacks, but can also profit from by renting them out to
