Friday, October 21st was a rough day for many on the internet. This was the day a massive DDoS attack took place against Dyn DNS; taking sites like Twitter, Amazon, New York Times, and many others off line. The day that your appliances are on the attack. With our favorite social media tools down OSINT was slim, so we had to find other ways to pass our time (thank you Candy Crush)
You may be asking, “How does an attack on Dyn affect my Reddit browsing?” To put it simply, Dyn provides Doman Name Systems (DNS) to many top sites. So when you type in www.reddit.com in your browser, you’re automatically pointed to the correct IP address of that site. Without services like Dyn we’d have to know the exact IP of the site we wanted to get to, and that’s a lot of numbers to remember. Something that day started flooding Dyn’s servers with traffic to the point of failure, or what is known as a Distributed Denial of Service (DDOS). It’d be the equivalent of tricking Uber to send thousands of cars to your house causing a traffic-jam, then preventing any legitimate traffic from passing down the street.
In the end, it was found that the Mirai botnet had infected hundreds of thousands of IoT devices connected to the web. These were mostly security cameras, DVR’s, and other devices left unsecured or using the factory default passwords. The bigger issue is that many of these devices have hard-coded passwords that are unchangeable, and without a manual firmware upgrade, are still vulnerable to more attacks.
Some reporters at the Atlantic recently tried to test how vulnerable their IoT devices were, so they created a fake web toaster and put it online. They thought it may take a few days or a week to get a hacking attempt, but were shocked that the first hack came in under an hour after going online. After 10 hours more than three-hundred separate IP addresses had attempted to hack into the “toaster”.
One thing to consider with lack of security in IoT devices is the ability to track if/when your house is occupied. While you’re away at work, many program their thermostats to adjust the temperature during that time period. As we get in to more IoT devices like smart lights, connected refrigerators, locks, and garage door openers, imagine if they were hacked and reported back when the home wasn’t occupied. It would be a thief’s paradise to have this information and be able to burgle at will; and your camera system wouldn’t capture it since it too was hacked.
Before purchasing an IoT device for your home, make sure you research the device to ensure you can change all passwords. Then change all passwords as soon as the device is installed. If you find an insecurity, write to the companies to complain about lack of security and to report vulnerabilities.