Writing in The Conversation on 7 October, Mihai Lazarescu, Associate Professor and head of the Department of Computing at Curtin University, sounded an ominous warning about a new and alarming development in cyber security.
In his article, Lazarescu discussed a distributed denial of service (DDoS) attack on the Krebs on Security website. What was different about this attack was that it wasn’t carried out by conventional computers, but rather by devices connected to the Internet of Things (IoT), including basic things like digital video recorders and security cameras. Lazarescu warned that the lack of security measures and settings in IoT devices means that large numbers of them could be readily enlisted for the conduct of very serious DDoS attacks.
We didn’t have to wait long for Lazarescu’s fears to materialize. On 21 October, an attack on Domain Name System (DNS) provider Dyn made major internet platforms and services inaccessible to millions of users in Europe and North America. The websites and services affected included Airbnb, Amazon, CNN, Netflix, PayPal, Pinterest, the PlayStation Network, Twitter, and Yammer.
Science Alert reports that the source code for malware called Mirai was released onto the internet just last month. It enables anyone to create their own botnet armies, and it’s designed to specifically recruit IoT devices like smart TVs and webcams. An official statement from Dyn on the attack confirms that Mirai was used to recruit millions of devices:
We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.
TechRepublic’s news editor Conner Forrest warns that despite it’s large scale, this attack isn’t the end, with a 75% increase in the number of DDoS attacks over the past year and also an increase in their average size. He states that the attack highlights the need for stronger IoT industry security standards and protocols. The Hypercat Alliance could consider expanding its focus in this regard.
Lazarescu says that cost and convenience considerations have meant that IoT devices haven’t been designed with security in mind. But these considerations need to be weighed against the very significant costs and inconvenience experienced when DDoS attacks like that aimed at Dyn take down a large part of the internet.
Also published on Medium.