Cyberattackers this month brought down Internet access to Twitter, Netflix, Airbnb, the New York Times, and many other companies by hijacking thousands of poorly protected devices and forcing them to overwhelm a key Web traffic hub with a barrage of messages.
You—in the form of your camera, printer, router, or other device—may have been one of the hapless recruits to the cybercriminals’ renegade army. If so, how would you ever find out?
The unwelcome signs, according to cybersecurity expert Chris Risley, include everything from sluggishness in your device’s performance, to mysteriously high data charges on your next smartphone bill, or—worst-case scenario—a federal agent knocking on your company’s door with a subpoena.
Risley, the CEO of Atlanta security company Bastille, is one of the cyber defense experts who have been analyzing an attack on Manchester, NH-based Internet performance management company Dyn, which was the target of a denial-of-service attack Oct. 21 that blocked Web traffic to its customers, such as Twitter.
It took little sophistication to find devices like yours or your neighbor’s that could be made to fire a fusillade of messages to disable Dyn, Risley says, because most owners leave their devices so vulnerable.
“Some devices were merely plugged in by users and allowed to keep their default username and password,” Risley says. A sample default setting might be “admin” and “password” for user name and password, he says. “The attackers merely had their computers try the default credentials on every device they discovered.”
Some unwitting victims may have noticed nothing at all during the attack on Dyn. Or, those in the affected U.S. regions may attribute their camera’s temporary balkiness to the Internet disruption they heard about on the news—unaware that they themselves helped cause the crash. But once their devices have been compromised, they silently stand ready to join in another attack under new orders from the same network of bad guys, Risley says.
Cybercriminals carrying out such attacks are taking advantage of a huge increase in the number of connected devices now inhabiting homes, cars, schools, commuter trains, and offices. This Internet of Things includes everything from smart refrigerators to talking dolls. Device manufacturers have been accused of skimping on security measures to keep the price of these products low. Even when security precautions are offered—such as the option to change default passwords—consumers often lack the time or the know-how to take these steps.
Malicious hackers can scan much of the device population within an hour to muster a global regiment of thousands that will amplify their attacks and mask their role as the originators of the action. This is called a Distributed Denial of Service Attack (DDoS.)
Andrew Mitchell, vice president of engineering at cybersecurity company TrueVault, based in Redwood City, CA, sees the attack on Dyn as an escalation of the DDoS tactic, because the cybercriminals were able to block Web access to many companies, rather than just a single target, by disabling the Dyn infrastructure they all relied on.
Some observers are concerned that this may be a practice run for a broader attack on the Internet for a specific purpose, such as an attempt to interfere with the U.S. election process. No effective routes are yet in place to broadly protect individuals from helping to sabotage their own Internet access, their economy, or their democracy.
“It can be really hard for the average consumer to know if they’re buying a device with good security properties or an easy target for hackers,” Mitchell says. “This is an area where governments and trade groups need to step up. It would be great if there were seals of approval from trade groups verifying that the device meets basic security requirements.”
One line of defense for consumers is to turn their devices off while not in use. A device that is unplugged and has no battery could not be activated to join in a cyberattack, Mitchell says. But “if the device is in a ‘sleep’ mode, where it is still powered on but has suspended normal operation, the attacker may be able to wake it up remotely and use it to begin an attack.” Mitchell is careful to say that he’s drawing on his own technical knowledge, and reports about such attacks, but is not privy to specific forensic data about the attack on Dyn.
Once they’ve taken control of a device, DDoS attackers would probably push it to send out as many messages as possible to maximize the power of their attack, Risley says.
“They will run an instruction on your device that will effectively say: Step One: Send this query to this address xx.xxx.xxx.xxx. Step Two: Repeat Step One,” Risley says.
“This will impact the performance of the device because all of its processing power will be busy in the sending loop,” he says.
The device would seem to freeze, or work very slowly, and it might exhaust its battery. If it overwhelms the Internet connection’s ability to handle the flood of outgoing messages, the user would lose the ability to use software that relies on Web access, Risley says. Risley is the former CEO of cloud-based DDoS mitigation company Defense.net. At Bastille, he leads a security company focused on preventing attacks on devices via wireless and other radio-frequency communications.
DDoS attackers may set a limit on the number of times the device should repeat sending the message to the target. But Risley says they may also include another command telling the device to check back periodically with a server they control. Then the device can be given new orders, “so that every so often the attacker can stop the attack, redirect the attack, or respond to the victim’s evolving defense.”
In this way, cybercriminals have assembled involuntary “standing armies” of devices that they can not only use in their own attacks, but can also profit from by renting them out to other bad actors with different purposes in mind. These might be activists with a cause, terrorists, criminals seeking a ransom for a victim’s data, or just young hackers who want to show off, says security intelligence company Flashpoint in a review of the Dyn attack.
After an attack, a compromised device may go back to functioning innocently and well. But like the secretly brainwashed Manchurian Candidate of fiction, it can be triggered to act malignantly at another time by a signal from an outside agent who owns or rents the criminal’s robotic army.
Even if the hackers don’t tell your device to stop sending out messages at some point, that doesn’t necessarily mean your device will endlessly continue to pump out rogue data packets and become useless.
“Typically, it will forget the instructions when it’s powered down, so a reboot would fix it,” Risley says.
But the bad news is, once the attackers know the device’s username and password, they can easily re-infect it, cybersecurity experts say.
After the attack, the device owner may notice a run-up of data charges incurred for unintentionally sending a flurry of messages on the hackers’ orders. “DDoS traffic will be subtracted from your monthly data usage caps and allowance,” Risley says.
Once compromised for an attack on a target such as Dyn, the device can also be used as an entering wedge to invade the owner’s own network and steal data.
These risks might be compelling enough to motivate many consumers to shut cybercriminals out of their devices. But what can they do? Even users who make the effort to change their default passwords can still leave their devices open to attack.
In addition to a Web Login Protocol, devices may support other points of entry. This was the case for cameras made by XiongMai Technologies, whose webcams are some of the suspected vehicles of the attack on Dyn, Risley says. “In addition to the Web Login Protocol, the cameras supported SSH and Telnet logins so the attackers could try the default passwords for these logins to take control of the device,” he says.
He advises users to search online manuals to find out what ports their devices support, close them off, and also to change their router configurations. (Risley points to this Consumer Reports article for guidance on routers.)
Consumers aren’t the only users who fail to plug every hole in a device’s defenses. Devices owned by companies are also being deployed in DDoS attacks—including security camera DVRs, Risley says. He didn’t have figures on the percentage of company devices used in the Dyn attack. But Risley says an estimated 80 percent of the devices used in a similar attack on security analyst Brian Krebs earlier this month may have been commercial security DVR’s.
This can be a big embarrassment for the companies involved, he says. In addition, telecommunications firms may shut down the Internet connections of companies that seem to be pumping out DDoS traffic. And other businesses may block e-mail messages and other communications from sites that involuntarily generated the cybercriminal’s barrage of messages. On top of those headaches, a company could find itself in trouble with the law.
“Unsophisticated law enforcement often believes that the source of the attack packets is the source of the attack,” Risley says, adding that “it almost never is because hackers don’t like to be caught.” He says, “But just because law enforcement is wrong doesn’t mean they don’t have the power to subpoena your Internet records and the records of your Internet Service provider. Red tape can last years after an incident.”