What you need to know
Last week's crippling cyberattacks in the U.S. are a harbinger of the digital future and the ever more visible vulnerabilities of a networked world.
Last Friday, large parts of the internet in the United States were shut down by a series of attacks on a single company. The attackers deployed an old tool — distributed denial of service (DDoS) attacks — in a new and unprecedented fashion. The results were worrisome, not only because of the impact, but because they are a harbinger of the digital future and the ever more visible vulnerabilities of a networked world.
A DDoS attack is an assault on a web server in which the website is overwhelmed by the sheer quantity of data directed at it. In this case, the target was a company called Dyn, a small (500 employee) New Hampshire-based domain name service provider that is used by many of the largest internet companies. Dyn’s computers translate the URL that a user types into a web browser into a numerical IP address. Flooded by data at a rate of 1.2 terabits per second, the computers could not sort genuine requests from junk and all services were shut down.
The scale of the attack was facilitated by the use of thousands of devices that are connected to the internet but are not computers — household appliances such as refrigerators, thermostats, and even baby cameras, or closed circuit TV cameras — which are often referred to as the internet of things (IoT). These devices were hijacked by a readily available piece of malware called Mirai, which the hackers used to magnify the number of digital messages sent to the Dyn computers. It is estimated that as many as 550,000 devices around the world have been infected with Mirai, and last week’s attack used just 10 percent of them. When these devices are linked together and controlled by malware they are called a “botnet.”
It’s not clear why Dyn was the target of the assault. Speculation ranges from the mundane — retaliation for a report that Dyn published on just such attacks — to the more chilling argument of internet security specialist Bruce Schneider that “someone is learning to take down the internet.” He worries that this DDoS, like recent others, is preparation for a larger-scale assault on the digital society. “Someone is extensively testing the core defensive capabilities of the companies that provide critical internet services,” he explained last month. Other possibilities include a warning from Russia following U.S. charges that Russian hackers were interfering in American elections and that a U.S. counteroffensive could follow.
A collective called New World Hackers said on Twitter that it was responsible for the attack, claiming that it was only to “test power.” The group has taken credit for similar attacks against two large news sites in the U.S. and Britain, as well as cyberattacks against the Islamic State radicals. One member of the group said that last Friday’s assault was intended to highlight security vulnerabilities in the internet of things and to prompt manufacturers and users to tighten their security.
Digital evangelists have long promised that an interconnected world would be safer, more efficient and more attractive. Smart houses would use energy as required; smart refrigerators would automatically order food when they detected shortages among their contents; smart cars would drive themselves; individuals would have visibility of and knowledge about all the goings on in their proximity (or even when they are far away).
Yet every link in this virtual network is also a potential entrance point for bad actors. Every node is a gateway and rarely are these access points well guarded. Individuals are increasingly sensitive to the need for security in their software, as testified to by the growing length and complexity of passwords. But that same sensitivity is not evident when it comes to “dumb” pieces of hardware that rarely provide a consumer interface other than plug and play.
These devices, such as printers, routers, toasters, digital video recorders and cameras, are sold with preset passwords, poorly protected default internet connections and little continuing security service. Moreover, it is typically hard for an ordinary user to know how to beef up security by his or herself. Often, easy remote access is considered a feature, not a bug, since it allows the manufacturer to fix a product without having to send a repair person. That hackers can just as easily take control of these devices is only now becoming a concern.
It is estimated that at least 5 billion devices are linked to the internet of things and that number is growing by 5.5 million devices daily. The total should reach 20 billion devices by 2020. A consortium of U.S. companies is developing the Open Trust Protocol to provide security to protect connected devices and the European Union is drafting standards for security for the internet of things, but its chief ambition now seems to be the adoption of a sticker that alerts consumers to a device’s security level, just as similar stickers provide information about its energy use. Far more is needed, and fast.
The News Lens has been authorized to republish this editorial. The original can be found here.
Editor: Edward White