At the website of the New Republic, Jacob Silverman details the surprisingly simple technology behind the DDoS attack that caused a massive internet outage last Friday, affecting major websites like Twitter, Netflix, Airbnb, and Reddit. Hackers used an open-source virus called Mirai to commandeer poorly secured "Internet of Things" devices like web-enabled thermostats and home surveillance systems to overwhelm and paralyze a key piece of internet. Silverman writes that this attack is a watershed moment for internet security (or lack thereof), as it reveals how vulnerable the emerging Internet of Things is making the web as a whole and the people who use it. Here's an excerpt:
Mirai isn’t the first malware of its kind—some cyber-criminals offer rentable botnets and other forms of “DDoS-as-a-service”—but it’s become the most visible example of the growing insecurity of the Internet of Things (often referred to by its acronym IoT). Once hailed as the next frontier in technological development, the IoT was supposed to empower consumers by connecting more “smart” devices to the internet, making it so that various home appliances could talk to one another. But some commentators have long questioned both the utility and the security of IoT devices. Just because we can connect a toaster or a fridge to the internet doesn’t mean we should—a fact that becomes all too clear when shoddy security leads to your fridge being press-ganged into a million-strong botnet. (Many consumers will never even know that their devices are compromised. Earlier this year, The New York Times ran a story about the owners of a Wisconsin welding shop who were baffled to discover that Chinese hackers had commandeered their computer, using it as a command-and-control server from which to launch cyber-attacks.)
The problem lies less with consumers than with device manufacturers who have either not considered security or simply see it as an expensive inconvenience. Many IoT devices ship with widely used default passwords, with no password protection, or are easily hackable; with some, users have no ability to change the password at all. The search engine Shodan can be used to trawl the internet for unsecured connected devices, from thermostats to printers to baby monitors. Simple apps like Live Camera Viewer, made for Android, provide feeds from unsecured surveillance cameras, offering an eerie, voyeuristic look into Russian hotels, Spanish restaurants, and German streetscapes, along with the requisite feeds of animals at play in aquariums and zoo exhibits. Because manufacturers rarely, if ever, update the firmware on their IoT devices—some have no way to push out security updates en masse—vulnerable devices like these are unlikely to ever be fixed.
Image via the New Republic.