The Dyn Attack Shines A Light On The Overlooked Element Of Internet Security: Smart Devices

, ,
Hack Attack: Change Factory Passwords

On October 21, 2016, a massive hacking attack caused a number of popular sites like Twitter, Reddit, Netflix and Spotify to become inaccessible for large portions of the day. The data breach attack was directed at Dyn DNS Company, a major domain name server (DNS) hosting service responsible for routing traffic to these and millions of other sites. The attack itself was crude. It simply consisted of bombarding Dyn with junk traffic, overloading the company’s capacity to process its normal traffic.

What was impressive about it was the scale. The perpetrators and exact amount of devices involved are unknown, but based on the scope of the traffic, it is quite likely that tens of millions of devices were involved.

The bulk of these devices are thought to be smart devices rather than compromised computers; home appliances and gadgets like refrigerators, cameras, televisions, routers, DVRs, and even toasters. While these devices have very limited computing capability, an attacker can still instruct them to drive traffic to a site, and when millions are making requests of the same site it makes for a very potent threat to internet security.

Why are smart devices so commonly used in these attacks? Because, by and large, they are poorly secured and much easier for attackers to take over than a computer that has even rudimentary security measures in place. In today’s post we’ll go over some of the most common security issues with these devices.

Default Passwords
To be blunt, many manufacturers of smart devices are simply not taking security seriously yet, especially at the lower end of the market. You can find numerous examples of these devices that ship with a standard default password that cannot be changed. When this is the case, anyone who can get a copy of the instruction or service manual for the device can potentially access it remotely.

Even when it is possible to change the password from the default, many device owners opt not to. Some owners are lulled into a false sense of security by the device manufacturer providing a unique default password with each individual device; however, if these passwords are a short alphanumeric string, it is still relatively easy for any attacker to compromise them with a “brute force” password guessing attack.

Weak Passwords
Other than cameras and a very small handful of other devices, there appears to be little reason to properly secure a smart device. After all, what is an attacker going to do with access to your toaster? With this thinking in place, device owners may opt to choose a very simple and short password that is easy for them to remember. Naturally, this makes it trivial for an attacker to force it or to simply guess it.

If a smart device is connected to the internet, it is just as susceptible to malware as a computer is. A “trojan” form of malware called Mirai is thought to have been responsible for the bulk of the Dyn attacks. The creator of Mirai has released the source code to the public, and many ISPs have begun implementing measures to recognize and automatically block devices that are infected with it. That’s just one trojan among many, however, with hackers working feverishly to develop new varieties all the time. Again, device security is not nearly as robust as that of the average computer, making it relatively easy for attackers to infect devices they can reach.

The recent DDoS attacks make clear that smart device security needs to be taken much more seriously by the entire industry. While no one may care much about the possibility of attackers burning their toast or changing their thermostat settings, enough compromised devices together hold the power to deny internet access to everyone.

Sign up here to get a free copy of our special report:

How Outsourced IT Can Save You Thousands

Don’t worry, We will never spam you or share your email with anyone. Your information is safe with us. – We’re IT people, security is what we do.