This is the story of a very simple effect arising from a wickedly complex cause. On Friday, October 21, 2016, many popular websites including Twitter, Paypal, Spotify, Mashable, CNN, the New York Times, the Wall Street Journal, and Yelp went down. This is easy enough to understand—and to many millions of internet users the temporary crashing of such beloved online mainstays was more than a mere annoyance, but something closer to an electronic natural catastrophe.
Except, of course, there was nothing “natural” about this particular catastrophe. It was the result of a concentrated attack by hackers exploiting a particular weakness that had been alarming network security professionals for a long time. To stick with the metaphor of natural disasters, the attack exposed a fault line in our networked world. That fault line may have been manmade in the first place, but it is a part of the digital landscape now and must somehow be addressed.
To summarize the October 21, 2016 hack in a single sentence: an as-yet unidentified group of attackers conducted a sophisticated, highly-distributed Denial of Service attack using tens of millions of IP addresses, many of them hijacked from Internet of Things devices infected by the Mirai botnet. If that sentence made sense to you, then you probably have no further reason to read the rest of this article. If, however, that was an unapproachable word salad of technobabble and gibberish, then allow me to break down what happened piece by piece.
PART 1: THE VICTIM
Every networked computing device that uses the internet to communicate is identified by a numerical label, called an Internet Protocol address or IP address. These are most commonly encountered as 32-bit numbers expressed in four blocks, separated by periods, for example 184.108.40.206. Because a given IP address should only identify one unique item in a network, and there are so very many devices connected to the internet, the range of available IP addresses is getting depleted. To deal with this, a new version of IP using 128-bits for its addresses was developed. It was, in fact, developed all the way back in 1995, but has yet to be widely deployed.
Regardless of whether the IP address is 32-bits or 128-bits long, in either case ordinary users of the Internet are not expected to remember the IP addresses of their favorite sites. Instead, the Domain Name System (DNS) maps individual IP addresses onto human-friendly Universal Resource Locators (URL). Not only is it substantially easier to remember the URL Google.com than it is to remember the IP address 220.127.116.11, there is another benefit to the DNS system. A website can use many IP addresses, or change them as needed, without having to worry the user with tracking that level of detail. For example, Google actually holds a great many IP addresses—not all of which are active at any given point in time. The user merely needs to remember one URL, and let the DNS system do its work on the backend to direct the browser to the correct IP address.
The target of the October 21, 2016 attack was a New Hampshire-based Internet Domain Name System service provider named Dyn. Dyn’s clients include Twitter, Etsy, Zappos, CNBC, Zillow, Soundcloud… a lot of marquee Internet brands. When a user attempts to access one of these websites, Dyn’s servers are busy in the background of that communication, making sure the traffic is directed to the correct IP address. By directly attacking Dyn, the hackers indirectly interrupted traffic to these other websites.
PART 2: THE VILLAIN
A computer has a finite capability to service requests for data. A “denial of service” attack (DoS) exploits this fact by flooding a target computer with requests, so that the overwhelmed machine not only cannot respond to all of them, it gives up responding to any of them. The limitations of the target computer are reflected in the attacker computer, too—there are only so many requests a single device is capable of sending. To overwhelm a computer with requests it helps to have a lot of devices chiming in all at once—a Distributed Denial of Service attack (DDoS) coordinates many thousands or more distinct devices to bombard the target.
One way of getting access to thousands or more distinct devices is to infect them with malware. The malware allows a third party to take control of the device and direct its activities—such as commanding them to effect a DDoS attack. A network of infected devices that can be centrally controlled is called a botnet—a portmanteau word combining “robot” and “network.”
In the case of the October 21, 2016 Dyn attack, the botnet was comprised of devices infected with a strain of malware called Mirai (the Japanese word for “future”). There are two aspects of the Mirai botnet of particular interest here. The first is that, like many botnets, it is available for rent. DDoS attacks can be prosecuted as a federal crime under the Computer Fraud and Abuse Act, as well as other statutes. Cyberattackers who direct such things therefore have a natural incentive to avoid leaving a trail back to themselves. The use of a rented botnet adds one more layer of abstraction and distance into an already byzantine series of steps: 1) prominent web sites were temporarily disabled due to a 2) attack on a DNS system conducted by 3) infected computing devices that were compromised by 4) Mirai malware that had been placed there by a party possibly entirely unrelated to the rest of the chain of events.
The second distinctive aspect of the Mirai botnet, however, was the kind of devices it compromised. Mirai is designed to seek out the Internet of Things.
PART 3: THE MURDER WEAPON
The “Internet of Things” (IoT for those of you playing acronym bingo) is a buzzword for the growing phenomenon of various consumer and commercial devices being networked together. Thanks to increasingly tiny electronics and sensors, it has become possible to make just about any consumer device “smart.” Cars, refrigerators, watches, thermostats, televisions, roadway tollbooths… the analyst firm Gartner has estimated that by 2020 there will be over 26 billion networked things. There are already an estimated 6 or 7 billion networked things, with another 5 million or so coming online every day.
There are many advantages to this brave new world of connectivity—but in all the hype and enthusiasm about the prospects and profits to be found in the IoT, little attention was paid to security. In the summer of 2014, HP published the results of their study of IoT device security, warning that 70% of the most commonly used IoT devices contained vulnerabilities, and that each individual device had on average 25 vulnerabilities! The concerns included a lack of encrypted transmissions, insecure interfaces, and poor safeguards when downloading software. 80% of all the IoT devices tested by HP had poor password security, often with default passwords like “1234” left in place.
A different study found that the majority of IoT devices reused software code—an understandable cost-savings for the developer, but it meant that any hacker’s discovery of a vulnerability in one device was tantamount to exposing an exploitable weakness in nearly every device. In July 2016, researchers at Senrio reported they had discovered a security flaw in a webcam manufactured by D-Link—only to then realize that the bug was actually present in 400,000 publicly accessible consumer devices. At the 2015 DefCon 23 hacker’s conference, Runa Sandvik and Michael Auger demonstrated how to remotely penetrate a wifi-enabled long range sniper’s rifle made by Austin company TrackingPoint. The rifle’s high-tech design supposedly enhances the shooter’s accuracy—but Sandvik and Auger showed how they could compromise the rifle’s software and change the aim, causing it to hit a target 2.5 feet to the left.
Mirai infected tens of millions of devices, for a Distributed Denial of Service attack on a scale never before seen. There are more IoT devices than traditional computers (as of the time the Dyn attack occurred, there are more than three IoT devices to every PC), their security is notoriously lax, and finding a vulnerability on one can open up access to countless more. The Mirai botnet is comprised substantially of cameras and DVRs running software from a single vendor, China’s Hangzhou XiongMai Technologies. Their software uses default passwords, easily available online—a single vulnerability, extruded out like widgets from a factory to tens of thousands of consumer products, that were then zombified and used as cyber weapons.
The risks of low security on IoT devices had concerned the information security community for years. The FTC issued a “best practices” guidelines in January 2015, and followed that up with official guidelines and workshops to encourage vendors to improve security. The Dyn attack brought a new sense of urgency to these issues, along with more widespread public attention. A congressional inquiry into the attack called upon the FCC to weigh in on whether greater cybersecurity safeguards needed to be mandated by government regulators. Part of the debate includes the Open Internet order adopted in 2015 to ensure net neutrality, and whether that rule limited the ability of network providers to exclude insecure IoT devices.
The issue remains unsettled. No new governmental regulations have been instituted. Billions of insecure devices are in use. The Mirai botnet has been used to attack Dyn, as well as earlier assaults on security reporter Brian Kreb’s website and a French cloud provider’s services. Arbor Networks reports that at least 500,000 IoT devices are still known to be under the control of Mirai malware. On Halloween Day, 2016, a new malware strain called Linux/IRC Telnet was discovered to be infecting a new army of bots, readying for the next DDoS attack yet to come.