Like any other weekday, last Friday I grabbed a cup of coffee and activated my computer to see the latest world news cascade down my Twitter feed. But unlike an average day, Twitter was down. Mild discomfort settled in.
Social media addiction aside, it turns out a huge swath of popular websites — from CNN to Github to Paypal to reddit — were down for users in the eastern part of the U.S. The culprit, as we probably should expect by now, was a massive Distributed Denial of Service attack, and it came in two waves. The second was even more powerful, affecting users on the West Coast as well.
So what’s the lesson we should all learn from this attack? That designing privacy and security into internet-connected devices isn't just about brand or reputation, it's a national security imperative. When major websites — from social networks to video streaming services to news publishers to retailers — go down, it hurts the overall digital economy. Spread such an attack to critical infrastructure, like air traffic control or energy systems, and any country's national security interests hang in the balance.
As was evidenced last Friday, it’s far too easy for bad actors to access connected devices like webcams and other smart appliances. Default passwords are often “password” or “admin.” When that’s the case, adversaries can easily crawl the internet, access those devices, infect them with malware, and activate their attack at will. The warnings have been there for years, too. In 2014, a website connected to 73,000 unsecured webcams around the world demonstrated how often default passwords remained unchanged. Plus, it appears access to this so-called "army" of hacked devices is for sale, and it's cheap.
The role IoT played in Friday's attack is not just speculation, either. Chinese electronics manufacturer Hangzhou Xiongmai Technology confirmed weak default passwords in its devices allowed adversaries to infect its webcams and DVRs with a malware known as Mirai. The malware then allowed the attackers to launch Friday's massive DDoS attack, mainly in the U.S. In response, the company has announced it is recalling those devices. "Security issues are a problem facing all mankind," the company said in a statement.
There is now no doubt, an attack like this could happen anywhere in the world.
Friday's events lead to a huge takeaway for businesses in the IoT field. If companies do not build in protections to prompt new users to create strong passwords and ensure customers patch security vulnerabilities, they are not only risking brand reputation, regulatory action and the cost it takes to recall thousands of products, they are risking the health of the digital economy and the security of any nation in which such an attack takes place.
If companies do not build in protections to prompt new users to create strong passwords and ensure customers patch security vulnerabilities, they are not only risking brand reputation, regulatory action and the cost it takes to recall thousands of products, they are risking the health of the digital economy and the security of any nation in which such an attack takes place.
Sure, last week's attack hurt dozens of companies, but imagine such an attack hitting critical infrastructure. More than money and reputation would be at stake.
In fact, Friday’s attack did hit what's becoming very critical infrastructure, indeed: Dyn, a major Domain Name Server host. The service it provides is likened to the Yellow Pages. In a nutshell, it helps users connect with their desired websites. By bombarding Dyn’s servers with massive amounts of information requests, the attackers chewed up Dyn's bandwidth, effectively disabling its service several times throughout the day. How much e-commerce didn't happen because of those various downed sites?
DDoS attacks usually require thousands of IP addresses to perpetuate an attack. So a bad actor, in the past, likely would have used a slew of computers infected with malware to accomplish the attack. However, IP addresses are now rapidly expanding beyond the computer screen to all sorts of devices: wearable fitness trackers, smart homes, connected cars, and so on. As IoT embeds itself more deeply into our lives and as companies find more ways to monetize these products and services, bad actors will have more IP addresses to enslave for DDoS attacks.
Late last month, Privacy Tech warned of the dangers of "enslaved IoT armies" after the website of well-known security reporter Brian Krebs was attacked and taken down for days. At the time, it was one of the strongest DDoS attacks ever measured.
The attacks have only gotten stronger in the meantime.
Friday’s outage is a mere inconvenience compared to what could happen if certain other critical infrastructures are affected. If this were to happen during the first Tuesday next month, an already contentious presidential election could be thrown into a whirlwind.
Move these vulnerabilities onto other critical infrastructures — the energy grid, transportation, the financial marketplace, health care, water distribution — and we’re entering into dangerous territory. Really, we’ve likely entered this perilous territory already and are only just beginning to see some of the realities.
Whether a large nation-state or small cell of criminals, we should realize that IoT security and privacy hygiene is now a public safety issue.
Security guru Bruce Schneier warned us in early September that “someone,” likely a nation-state like Russia or China, is methodically probing the “defenses of the companies that run critical pieces of the Internet.” He also pointed out that the scale of these attacks is steadily growing stronger. Since DDoS attacks are essentially a battle of who has more bandwidth — the attacker or the victim — a cyber arms race ensues.
Whether a large nation-state or small cell of criminals, we should realize that IoT security and privacy hygiene is now a public safety issue. This puts the onus on businesses to build in protections, a means to update security patches for already-purchased devices, and put forth easy-to-understand instructions. If you've been seeking a good argument for getting a bit more budget and staffing for your privacy-by-design efforts, let's hope this can be a prominent arrow in your quiver.
If not, maybe we truly cannot have nice things. Or Twitter, anyway.
Top image: Screen shot of Friday's DDoS attack from Level3.