How your DVR was hijacked to help epic cyberattack – USA TODAY
SAN FRANCISCO â Technology experts warned for years that the millions of Internet-connected “smart” devices we use every day are weak, easily hijacked and could be turned against us.
The massive siegeÂ on Dyn, a New Hampshire-based company thatÂ monitors and routes Internet traffic, showsÂ those ominous predictions are now a reality.
An unknown attacker intermittently knocked many popular websites offline for hoursÂ Friday, from Amazon to Twitter andÂ Netflix to Etsy. How the breachÂ occurred is a cautionary tale of the how the rush to make humdrum devices âsmartâ whileÂ sometimes leaving out crucial security can have major consequences.
Dyn, aÂ provider of Internet management for multiple companies,Â was hit with a large-scale distributed denial of service attack (DDoS),Â in which its servers were flooded with millions of fake requests for information, so many that they could no longerÂ respond to real ones and crashed under the weight.
Who orchestrated the attack is still unknown. But how they did itÂ â by enslaving ordinary household electronic devices such as DVRs, routers and digitalÂ closed-circuit cameras âis established.
The attackers created a digital army of co-opted robot networks, a “botnet,” that spewed millions of nonsenseÂ messages at Dyn’s servers. Like a firehose, they could direct it at will, knocking out the servers, turning down the flow and then hitting it full blast once again.
The specific weapon? An easy-to-useÂ botnet-creating software called Mirai that requiresÂ little technical expertise. An unknown person released itÂ to the hacker undergroundÂ earlier this month, and security experts immediately warnedÂ itÂ might come into more general use.
Mirai insinuates itself intoÂ household devices without the owner’s knowledge, using them as platforms to send the sever-clogging messages even as the device continues to do its day job for its true owner.
The software uses malware from phishing emails to first infect a computer or home network, then spreads to everything on it, taking over DVRs, cable set-top boxes, routers and even Internet-connected cameras used by stores and businesses for surveillance.
That breadth of “attack surface,” as security experts call it, is oneÂ of the things that makes MiraiÂ so difficult to fight, saidÂ Kyle York, Dynâs chief strategy officer.
âThe complexity of this attack is because itâs so distributed. Itâs coming from tens of millions of source IP addresses that are globally distributed around the world. What theyâre doing is moving around the world with each attack,” he said.
Internet of (dangerous) Things
As long as companies have been gleefully making and selling Internet-connected devices (the so-called Internet of Things or IoT), computer security experts have warned the security included with them was far too weak, or sometimes even nonexistent.
“IoT security has been horribly flawed ever since it first became a thing, largely because of the pace that new products have to go to market, and the fact that designing securityÂ is seen by vendors as âslowing things down,â” saidÂ Casey Ellis, CEO ofÂ Bugcrowd, a San Francisco-based computer security service.
This “avalanche” of smart and connected devices has created an environment where software and implementation flaws can be exploited at previously unseen levels, “effectively turning them into widely distributed information weapons,” said Mike Ahmadi, director of critical systems security for security company Synopsys.
The danger is two-fold: The devices can be hacked into by one individualÂ and potentially used to enter the owner’s home computer network, putting their personal information at risk, or itÂ can be easily taken over and turned into a node on a botnet.
Either way, stronger security would protect both the devices’ owners and the larger Internet. However, security is too often left out âÂ and alsoÂ needs to be continually updated.
While users at least sometimes are willing to install security updates to their phones or computers, the idea of going around and doing software or firmware security updates on thermostats, garage door openers and even refrigerators has yet to catch on.
“The threat research community needs to find a way to prevent the IoT devices from participating in these attacks.Â They are valuable to the bot army controller because they are usually always on and have high capacity connections that generate huge botnet power,” saidÂ Jeff Schilling, chief of operations and security at computer security firmÂ Armor.