Millions unknowingly contribute to denial-of-service attack

Credit: Rawpixel.com/Shutterstock.com

These websites included Twitter, Spotify and Netflix, which were all made inaccessible at various points on Friday to people living mainly in the US, but also in parts of the UK, Europe and Asia

While normal service was eventually resumed, and while DDoS attacks are nothing new, Friday's incident was novel in the sense that it was enabled by IoT devices owned by millions of people.

Even though they were unaware that their smart appliances were helping to sending torrents of traffic to the affected websites, these people have helped to inaugurate what may turn out be a new era.

In it, the always expanding IoT will be harnessed to conduct disruptive attacks on the internet's infrastructure.

10s of millions

It was the internet's infrastructure that was specifically targeted in Friday's attack.

In particular, the perpetrators targeted a Domain Name System (DNS) company, Dyn, who are responsible for actually directing users to, say, the Twitter website when they enter "www.twitter.com" into their address bars.

By using a piece of malicious code called Mirai, these perpetrators had been able to take control of "10s of millions" smart devices, which are connected to the internet for the apparent reason of making them work more efficiently.

In this case, such devices included many CCTV cameras, as well as IoT-ready household appliances (e.g. smart TVs, smart thermostats).

Having them under their control, they were able to make them send a flood of access requests to Dyn, essentially asking Dyn to put them through all at once to the likes of Spotify, Reddit and SoundCloud.

The result of this was to prevent Dyn from doing their job properly in leading users to these targeted websites. As such, the sites either failed to load normally or went completely offline, leaving the people who actually wanted to access them somewhat bemused.

Internet of insecure things

Yet some of these people would have been even more bemused if they knew there was a chance their very own smart devices might have been used by hackers to carry out this attack.

This is what Dyn confirmed in their press release when they wrote that "one source of the traffic for the attacks were devices infected by the Mirai botnet".

A "botnet" is any network of computers controlled remotely via malware and used (generally) for less-than legal ends. And the Mirai botnet, more particularly, was what first came to public attention as a result of a September DDoS attack on cybersecurity journalist, Brian Krebs.

This was in fact the largest DDoS attack ever recorded, and according to content delivery network Akamai, it was made possible by the "Internet of (Insecure) Things".

The reason why such things as smart printers and smart cameras are insecure, is that they're often not protected by any kind of security or anti-virus software.

In fact, in explaining the most recent attack, Brian Krebs noted that many smart devices are "protected by little more than factory-default usernames and passwords".

Because these factory-default settings are common knowledge, the hackers can simply look them up on the internet and then add any individual device still using them to their botnet.

It's for this reason that owners of IoT devices should ensure they change the passwords of their devices as soon as they possibly can.

This is especially true when it comes to the owners of the specific gadgets Krebs believes were used recent Mirai attacks, which include numerous cameras, printers, routers and security cameras.

Yet they should also make sure they install the latest updates on their devices, since otherwise said devices may become vulnerable to security gaps or weaknesses.

It's not known precisely what flaw the hackers exploited on Friday, but a simple update to passwords and firmware may have been enough to prevent devices from being drawn into the botnet they used.

Security vs affordability

This may be so, yet the attack raises a bigger question for the future of smart devices and the internet of things.

That's because many of these devices aren't designed to run anti-virus software and security firewalls sufficient to withstand infection by malware.

While they may be connectible to the internet, they aren't on the same level of sophistication as Macs, PCs or even smartphones. They can't install and use traditional security software, so they present a weak link in the chain of cybersecurity that programmers are otherwise trying so hard to reinforce.

This is why the internet of things may not be entirely viable or safe on a truly global scale until these programmers learn how to fit IoT devices with the necessary defences.

And yet, because one of the supposed commercial benefits of the IoT is that smart devices provide people with increased convenience, it's still an open question as to whether smart devices can be reinforced with sufficient software while still remaining affordable.

In fact, it might be a dilemma. That's because on the one hand, increased, state-of-the-art cybersecurity might make a smart coffeemaker so expensive that many might end up purchasing a traditional coffee machine instead.

On the other, if manufacturers strive to keep their smart appliances affordable by installing them with only basic security software, then they may very well remain vulnerable to hacking.

Still, it's very early days in the life of the internet of things, and it should be said that IoT smart devices made up only a portion of the botnet used in Friday's attack.

So if you own a smart kettle or a smart TV, there's no need to start worrying yet. Just make sure you keep your appliances as up-to-date as possible, and if they have passwords and you can change them, then change them.