On Friday, hackers crashed parts of the internet, specifically services located on the East Coast of the United States. They used an old technique known for 20 years, a “DNS DDoS.”
However, instead of launching the attack from virus-infected computers as has been the norm, hackers launched the attack from small, internet-connected devices like security cameras. This is a worrisome development—such devices offer hackers a powerful new weapon.
The “Internet-of-Things” (IoT) revolution is sweeping the internet, adding cars, pacemakers, industrial robots, toasters, and security cameras to the internet. If you own an appliance or device that uses electricity, you can find a similar device which connects to the internet. Through a voice-activated device such as an Amazon Echo, you can command the coffee to start brewing, the car to start warming, and the lights to turn on in the morning—all before getting out of bed. According to research group Gartner, more than 6 billion of these devices will be on the internet by the end of 2016.
This trend comes at the cost of cybersecurity. They are cheap devices that cut corners. While they are not prone to the same attacks as your home computers (such as phishing emails), they have other common problems (like backdoor passwords). These are passwords, like “support,” that vendors put secretly in their devices for various reasons. While vendors think they are clever and secretive, hackers find these passwords effortlessly. They create lists of these well-known backdoors and trade them among themselves.
Luckily, the devices installed in your home are behind your firewall, so they are secure against most hacker attacks. A firewall is a common security device that allows outbound communication with the internet, but blocks most inbound communication. Most of the devices that connect homes to the internet contain a firewall. However, many more are placed directly on the internet, where hackers can easily gain control of them.
That’s why in Friday’s attacks, most of the devices were security cameras rather than baby monitors. Both devices do the same thing, record video, and often have the same internal hardware and software inside. However, baby monitors are usually installed in the home, behind firewalls, which hackers cannot directly access. Security cameras are installed in remote buildings, often with dedicated internet connection just for the camera, with no firewall protection. However, some baby monitors were placed outside the firewall.
Most assume it would be too hard to find such devices on the internet. For example, some remote village in Mongolia might have security cameras attached to a satellite uplink. What’s the chance hackers can find that?
The answer is 100 percent. In much the same way that you need only somebody’s phone number to call them, all you need is an internet address to connect to a device. When you dial somebody’s phone number, the fact they might be located in downtown Berlin or the middle of Mongolia is irrelevant. The same is true of an internet address. There are fewer internet addresses than phone numbers, only about 4 billion possible combinations. It’s possible to try them all in the span of a few hours.
The following picture shows me running a tool called masscan, which probes every possible internet address. As you can see, in about 6 hours, it will have scanned the entire internet for all IoT devices of the sort that were used on Friday. It sends a probe to each and every address on the internet, regardless of where they are physically located. If you look carefully on your home firewall, you’ll see that somebody with the internet address 184.108.40.206 has tried to contact you today. That person was me. And this is true, even if you are living in the middle of Mongolia.
Even this is unnecessary. Various internet survey websites keep track of this, such that simple searches can be made to find certain types of devices. The most popular of which is Shodan, which can quickly generate a list of millions of possible targets to take control of.
In Friday’s incident, hackers were using their own custom software known as Mirai. The ThreatPost security blog reports 550,000 devices are infected with Mirai, and that 10 percent of those were used in the attack.
Mirai scans the internet. When it finds targets, it attempts to login using many well-known backdoor passwords.
Once Mirai finds and infects a new device, it then contacts the hacker controlling these devises. It has now become a botnet under the hacker’s control. One common command is to execute a DDoS attack. This stands for Distributed Denial of Service. It comes from thousands of devices, the source distributed across all these devices. The term “denial of service” is an old computer term meaning to either crash, slow down, or otherwise “deny” people the “service” of the targeted device.
The hacker (or hackers) behind Mirai have been building their botnet for a couple months. We’ve seen the scans on the internet. And on Friday morning, they commanded the machines to target a victim, a major DNS provider. DNS is the phonebook of the internet, translating between human names and the sequence of numbers that is an internet address. When DNS crashes, the internet technically runs, but anybody dependent on that DNS service can no longer find things. The victim of the attack, Dyn.com, was a particularly large DNS provider, and hence, the attack had a disproportionate effect on the internet.
The scariest part of Friday’s attack is that it takes no special skill. Anybody can use masscan or Shodan to find potentially vulnerable systems. Anybody can infect those systems with Mirai and remotely control them. Some have suggested that nation states are behind this attack—but so far we’ve seen nothing sophisticated, nothing requiring nation state resources. All this is within the abilities of a particularly nerdy teenager working out of her mother’s basement.
When people open the box for the first time, they see an innocent looking device. They connect it to their network with that impression. But the internet doesn’t see them as devices. The internet sees them as full computers, running the latest Windows or Linux software, with large amounts of memory and computer power, attached to fast internet links. Hackers are now exploiting this disjuncture, taking control of devices, and using them to crash the internet, and there is nothing you can do about it.