DDoS Attack Was Waiting to Happen
Despite the unending excitement about the Internet of things, talk of 50 billion nodes on the network, and the building of the smart home, CCS Insight has long warned about potential security gaps that connected appliances could create.
Let’s consider what happened last week when hackers took over millions of Internet-connected devices such as home security cameras and routers. They exploited the devices’ security weaknesses to launch an attack that eventually knocked out parts of the Internet. When mobilized together, those pieces of hardware can be used to send Web page requests to servers at such a furious rate that legitimate requests are completely ignored.
Dyn, a New Hampshire company that hosts a domain name system (DNS), was hit with so much fake traffic that its servers became overwhelmed. Hackers used a so-called distributed denial of service (DDoS) attack that can overpower a server with so many data requests that it can prevent normal users from having their queries answered. A DNS is an expansive database that can convert a simple domain name into a more complex IP address from which data can be retrieved. Taking down a DNS server means that an Internet browser can’t use it to resolve which IP address to fetch the files of a Web page from. The attack caused widespread disruptions at major sites such as Amazon, PayPal, Reddit and Twitter.
Hackers have been installing malware on PCs for years. But the possibility that simple household devices were duped into taking down large chunks of the Internet is of particular concern: as a rising number of consumers buy connected devices, the potential exposure to security weaknesses increases.
Fortunately DNS is by definition a distributed database, meaning copies of the same information are found across the Internet making its architecture rather robust. Nonetheless, as the Dyn incident reveals, it takes time for DNS hosts to recover from attacks.
The recent Internet disruption should act as a wake-up call about the next wave of IT vulnerabilities potentially caused by simple household items, such as light bulbs and thermostats. We wonder if government regulations, similar to those that monitor the safety and reliability of consumer goods, will be needed to create a sense of reassurance to consumers buying connected objects.
Many consumers are uninformed about IT security. When they neglect to change a device’s out-of-box password, which may have been one of the vulnerabilities used last week by hackers, it’s clear that a change is needed. This won’t be the last time we hear about an attack via Internet-connected things.