THE UNPRECEDENTED DDoS attack on DNS provider Dyn last Friday was caused by a Mirai botnet made by tens of thousands of Internet of Things (IoT) devices.
Analysts have confirmed that the attack, which knocked major websites including Spotify and Twitter offline for several hours, was caused by hackers using the compute power of poorly secured IP cameras, home controllers and other on-premise devices to flood Dyn’s servers with data.
Mirai is a piece of malware which is specifically designed to exploit default passworded devices which, although relatively tiny in size and capacity, have enough brain aboard to send a series of requests to another server, which is what happened here in a highly coordinated fashion.
While it has been known for some time that IP cameras are vulnerable, mainly because of users' failure to change default passwords, this is the first time we've seen this vulnerability harnessed on such a spectacular scale with three DDoS attacks within a matter of hours.
Dyn responded to the attack with a blog post over the weekend in which Chief Strategy Officer Kyle York said: "It is said that eternal vigilance is the price of liberty. As a company and individuals, we're committed to a free and open internet, which has been the source of so much innovation.
"We must continue to work together to make the internet a more resilient place to work, play and communicate. That’s our commercial vision as a company and our collective mission as an internet infrastructure community."
In other words, change your bleedin’ passwords.
IP cameras, which have been singled out by several analysts, have been exploited for some time with websites containing entire directories of unprotected webcams being freely available to anyone wanting to view them.
Mark Zuckerberg demonstrated his own concerns on the vulnerability of internet connected cameras earlier this year when he was photographed with electrical tape shielding his webcam.
It is thought that attacks like this will become more frequent in the future, adding to the argument to keep control of your IoT devices in the cloud, unless you are able to manage a centralised server yourself and create strong passwords for each and every last door sensor, window latch and camera. And kettle. And the telly. µ
INQ's sister site Computing is holding its annual Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, so register now.
C3-PO, R2-D2, BB-8 and other Androids
Helpful cyber vigilante gets short changed by customer services
...you know, now it's less confusing...
Firm will no longer provide updates for its first Android mobe