The big news over the weekend was that hackers launched a DDoS attack on domain name system (DNS) host Dyn which impacted traffic for high-profile Dyn customers like PayPal, Spotify and Twitter. What’s even more newsworthy is how they did it (by using the Internet of Things as part of the platform for launching the attack) and the infrastructure they targeted (DNS servers).
According to reports, the hackers infected hundreds of thousands of webcams and digital video recorders with malicious software that allowed them to control the devices and use them to implement the attack. If that sounds familiar, there’s a couple of reasons for that:
- Earlier this month, a similar tactic was used to launch a massive DDoS attack on the website of cybersecurity journalist Brian Krebs. Aside from the scale of the attack itself, the attack was unique in that the hackers leveraged CCTV cameras, DVRs, home routers, and other IoT devices.
- Security expert Bruce Schneier has been writing about the vulnerability of “things” – and the consequences of not taking IoT security seriously – since at least last year.
At the time the focus was more on individualistic scenarios focused on the specific “thing” – taking control of an connected car, stealing personal data from a connected Barbie doll, preventing a Wi-Fi connected sniper rifle from firing, etc. Now we’re looking at these things being used to create larger platforms for DDoS attacks, and eventually for attacks we haven’t thought of.
This is a big problem that’s going to get bigger, Schneier wrote in this blog post, and it’s not something the market can deal with on its own for a variety of reasons.
The other notable characteristic of the Dyn DDoS attack is the fact that it deliberately targeted DNS servers – a trend that we’re also starting to see more of, wrote Schneier in another blog post written over a month ago:
Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they’re used to seeing. They last longer. They’re more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.
The Dyn attack appears to have been more than a probe, reports Technology Review – while the culprits remain unknown for now, the intention appears to be exactly the kind of disruption the attack caused. And while Dyn managed to respond to the attack and restoring service in a couple of hours, the other takeaway is that a larger scale attack of this kind on DNS servers could cause even greater disruption to internet service.
And the proliferation of the Internet of (very insecure) Things could provide the platform to make larger-scale attacks possible.
The message is clear, and can’t be repeated often enough: everyone in the IoT ecosystem – to include the public and the private sector – needs to take security seriously, especially on the device side of the equation, which currently constitutes the weakest link in the security chain. But the problem is much broader than insecure devices – it’s also increasing amount of interconnectivity between them, and the shift to software-controlled autonomous and automated systems that is shifting the internet security landscape into territory where traditional security countermeasures can only help so much.
The Dyn attack is just the tip of a very big iceberg. In an age where hackers are doxxing infidelity websites on morality grounds and (apparently) attempting to influence the outcome of the US presidential election, no one can afford to take internet security for granted anymore.