Recent Cyberattack Reveals Reality of Smart Home Device Vulnerability

What made last week’s Internet takedown so effective — and, some would say, sinister — was how the attackers weaponized everyday devices like security cameras, digital video recorders and baby monitors.

by Marissa Lang, San Francisco Chronicle / October 24, 2016
The Nest thermostat is one of the many smart home devices on the market. Flickr/Patrick Haney

(TNS) -- The huge cyberattack that crippled the Internet and disabled dozens of websites Friday appeared to be the biggest attack of its kind that the world has ever seen.

But it may not hold that title for for long.

What made last week’s Internet takedown so effective — and, some would say, sinister — was how the attackers weaponized everyday devices like security cameras, digital video recorders and baby monitors.

By exploiting the devices’ Web connections, hackers could infect them with malicious software and use them to paralyze huge portions of the Internet with a barrage of junk data in what is known as a distributed denial of service, or DDoS, attack.

For many, the breach was a stark demonstration of just how insecure the Internet remains. To some, it also felt like a call to action.

At a time when everything from televisions to refrigerators to kids’ toys are being equipped with an Internet connection, experts and legislators said, something ought to be done to ensure the security of these devices.

Yet there is little consensus around who should bear that responsibility.

“There aren’t just one or two types (of Internet of Things devices), there are tens of millions,” said Jeremiah Grossman, SentinelOne’s chief of security strategy. “So what we can expect going forward is a lot more of the same. ... Look out election day. Look out Cyber Monday.”

The Internet of Things encompasses a wide array of electronics: smart washing machines that will text you when your clothes are done, refrigerators that can order more groceries, wearable tech that can monitor your biorhythms, and talking toys that respond to words uttered by children.

Every year, more and more appliances are being made that connect to the Internet. Securing them is often an afterthought, experts said.

Many consumers, for instance, don’t see the danger in leaving a default password on a smart microwave, said Brian White, the chief operating officer for security firm RedOwl Analytics.

This is the attitude hackers bank on. If they can crack into a device using an easy-to-guess password, they can turn an everyday DVR into a zombie device enslaved to malicious software that can be used in attacks such as Friday’s assault.

“We are putting an enormous amount of compute capability in the average home, and it is very difficult for the average consumer to ensure their home is securely networked and their devices are updated,” White said.

Companies have long been held accountable for securing their own websites — banks, for instance, have security systems in place. But Internet of Things manufacturers are not required to guarantee a base level of security in the devices they create.

And when the priority is making the most inexpensive device possible, Grossman said, makers often skimp on things like security features.

Information security people “have been screaming bloody murder about this for years,” Grossman said. “Everything from cameras to toasters, refrigerators, microwaves. And because there’s no regulation, the manufacturers don’t need to make sure these devices ship with any security whatsoever.”

No single government agency oversees the devices or practices of the Internet of Things, though several have limited authority over parts of it.

Since Friday’s Internet blitz, some legislators have begun calling for greater government intervention.

“Not only does this kind of attack limit access to important information, delay financial transactions, and disrupt our nation’s commerce flows, but it also points to significant vulnerabilities in our national security,” Rep. Jerry McNerney, D-Stockton, said in a statement Saturday.

Friday’s attack targeted Dyn, an Internet infrastructure firm that, among other things, provides domain name services and online traffic management to hundreds of companies, including Amazon, CNN, GitHub, Twitter, Netflix, PayPal, Reddit, Zendesk and the New York Times, among many others.

In a DDoS attack, hackers typically deploy a botnet, or a network of compromised computers, to send phony traffic to a specific site or server with the intent of overwhelming it so it cannot respond to queries from real people.

What made the attack different was that it used a botnet seen only once before — last month in a record-size attack against cybersecurity journalist Brian Krebs’ website. The botnet, known as Mirai, used infected cameras spread across the world to send waves of traffic at Dyn’s DNS system at unprecedented rates.

Mirai continually scans the Internet for devices and then attempts to gain access to them by using a known default password or exploiting a weakness in outdated software.

Kyle York, Dyn’s chief strategy officer, said in a statement Saturday that the company was able to mitigate the first two waves in a matter of hours and fended off a third without customers seeing an impact.

But Dyn’s attackers may not have been using the full brunt of Mirai’s force.

Level 3 Communications, an Internet service provider based in Colorado, began monitoring the Mirai assault in the midst of its attack on Dyn. Level 3 reported that only about 10 percent of devices compromised by Mirai were deployed in Friday’s attack.

“There needs to be a much greater awareness among the public, among manufacturers,” White said. “This may have been a wake-up moment, but as with most things in the cyber realm, it may take a few more times for it to sink in.”

It has not yet been determined who was behind Friday’s attack, which came at Dyn in several waves beginning about 4 a.m. Pacific Daylight Time. But because the code behind Mirai was leaked after the attack on Krebs, it could have been anyone.

“Mirai is a DDoS-for-rent environment,” Dale Drew, Level 3 Communications’ chief Internet security officer, said in a video posted on Periscope. Hackers charge others for access to compromised machines, making it hard to determine the actual force behind a given attack.

The Department of Homeland Security and the FBI continue to investigate Friday’s cyberattack, though they have not yet identified a party responsible.

Activist hacker groups Anonymous and New World Hackers said they were responsible for the cyberassault on Dyn late Friday, telling several news organizations that it was an act of solidarity and retaliation over the Ecuadoran government’s decision to cut off WikiLeaks founder Julian Assange’s Internet connection.

“Twitter was kind of the main target. It showed people who doubted us what we were capable of doing, plus we got the chance to see our capability,” a New World Hacker member who identified himself as “Prophet” told the Associated Press on Saturday via a Twitter message.

The hacker said the group’s next target would be the Russian government in response to the cyberattacks Russia has allegedly launched against the U.S. this year.

But security experts and U.S. officials said they had their doubts about the group’s boasts.

No evidence over the weekend could link either group to the Dyn attacks, and both have taken credit for high-profile attacks in the past when they, in fact, were not involved.

“If they were just trying to prove a point, they would have done it briefly, rather than kept a series of sustained attacks going a number of times throughout the day,” Grossman said. “I mean, it’s possible. But it’s not plausible.”

©2016 the San Francisco Chronicle Distributed by Tribune Content Agency, LLC.