Your toaster can be hacked. Your refrigerator can be hacked. Your thermostat can be hacked. And when hacked, your everyday devices can be harnessed to launch a cyber attack. On October 21, across the US and Europe for several hours, that is precisely what happened. Websites that are integral to people’s everyday lives, like Twitter, Spotify, Netflix, and Reddit, refused to load. Experts are saying that this was the largest attack of its kind thus far.
These internet disruptions, which primarily affected the northeast United States, are believed to have been caused by a Distributed Denial of Service (DDoS) attack. DDoS attacks exploit the way websites are accessed. When a URL is typed into a browser, the Internet doesn’t immediately direct to that website. Rather, there’s an intermediate step that must occur first, in which the URL must be matched with the IP address. Dyn, a major Domain Name System (DNS), is one of the companies that facilitates this step. Their clients are some of the most highly frequented websites in the world. On the day of the most recent disruptions, Dyn received so many requests to convert URLs into IP addresses that the server became overwhelmed and could no longer process requests.
This influx of requests didn’t happen because the number of people trying to check Twitter suddenly spiked—it happened because the people behind this attack hacked devices all over the world in order to bombard Dyn with artificial requests. In general, DDoS attacks hack computers to form an electronic army that invades servers. These armies are referred to as Botnets. But this attack was of particular significance because it was accomplished through the use of a Mirai Botnet, meaning that instead of hacking computers, everyday devices like internet-connected toasters, refrigerators, and thermostats were targeted.
This was possible because the objects in our world are increasingly linking to the Internet, creating what is known as the “internet of things” (IoT). The IoT includes DVRs, routers, baby monitors, toasters, refrigerators, and thermostats. Unlike computers, IoT devices do not hold personal or sensitive information. Because of this, companies have less incentive to invest in the security of such devices and consequently they are left extremely vulnerable to hackers. On the day of the attacks, IoT devices were hacked and manipulated to overload Dyn. It’s as if 5,000 people are yelling at you, giving you directions for how to drive into Boston. Only a handful of these driving directions are correct. But you’re not going to be able to follow the accurate ones, because you can’t hear them over the screeching of all the faulty directions. You’ll never get into Boston. The website will never load.
It’s not the first time an attack like this has taken place. The hacktivist group “Anonymous” has been launching DDoS attacks with political motivations for years. In January 2011, “Anonymous” responded to the Arab Spring and the ensuing protests in Egypt by knocking multiple Egyptian official government websites offline. In June of 2016, they targeted and took down the Internet Archive, a site that is allegedly utilized by ISIS, for several hours. While “Anonymous” may be at the forefront of this kind of hacking, they have not claimed responsibility for the recent October attacks. In general, “Anonymous” launches attacks with the intention of preserving the freedom of speech and resisting the influence of the government. This attack doesn’t seem to be along the lines of these motives and the party responsible remains unknown.
As of now, it’s impossible to determine the motivation behind this attack. A penetration tester at the security firm Redscan, Robert Page, commented on the anonymity in an interview with the Guardian. “It’s interesting that nobody has yet claimed credit for the attack,” he said. “The relative ease at which DDoS attacks are to execute, however, suggests that the perpetrators are most likely teenagers looking to cause mischief rather than malicious state-sponsored attackers.”
Fahad Dogar, an Assistant Professor in the Computer Science department at Tufts, said the attack could be economically motivated, though it’s also possible that a random hacker simply wanted to prove a point.
“The motivation could really vary, from economic motivations. If a website is down, it’s losing reputation, it’s losing revenue, it’s losing users. There are non-economic considerations, too. Many hackers are just trying to prove a point, to test out their skills. In some cases, there are hackers who will do an attack to bring something to the attention of everyone. All of these possibilities exist.”
A study conducted in 2012 by the Ponemon Institute, which researches security and data protection, reported that it costs a company $22,000 for every minute they are down during a DDoS attack.
However, the threat is not merely economic. While not having access to Spotify for an afternoon may not seem like a big deal, these internet disruptions have much larger implications. Dogar sees these disruptions as indicative of future threats. “There could be much more critical things, like the electricity grid. If an attack like this brings that down, it could actually impact people’s lives,” he said. “Or, for example, increasingly we are hearing about critical services like 911 potentially moving to the cloud or to the Internet. Let’s imagine someone is trying to reach 911, but 911 isn’t available because something like this has happened. The Internet and the Cloud is becoming an integral part of everyone, so I think common users need to be aware of this.”
This concern grows increasingly valid as more and more of the world moves to the Cloud. Gartner Inc., an information technology research firm, projects that in the next five years over $1 trillion in IT spending will be influenced by the cloud. Following this trend, the US Department of Homeland Security has made huge shifts towards moving their operations to the cloud, as they strive to be a model of IT excellence.
Ming Chow, Senior Lecturer in the Computer Science department at Tufts, explained that the blame for these attacks should not be isolated to one single group.
“Everyone is at fault. Certainly the vendor. And now the devices are being recalled. Users for not changing default passwords. Developers and educators for not putting enough emphasis on cyber security. Users for taking technology for granted. Businesses for churning out products naively. Government for having no idea how to respond. It’s a collective problem.”
Panasonic, Samsung, and Xerox are believed to have manufactured some of the devices that were manipulated to launch the attack. These companies, along with lesser-known ones, had loose security standards. Additionally, legislatures have yet to implement policies that create a safe IoT world. And consumers are uneducated and unaware of the dangers of a router that has weak security.
Dogar sees the need for a pivotal shift in the security of IoT devices. “We need to fundamentally rethink our security model. We can’t trust every device to be secure, because these devices are coming from so many different sources, from so many different manufacturers that you can’t really trust all of them. And from a non-technical perspective, it’s important to realize that whatever solution we come up with, we need to align the economic incentives with it. It’s usability, it’s economics, it’s policy. All these things have to be in place for the situation to be working.”
Dogar emphasized the significance of an attack of this scale. “Certainly it’s a big alarm for everyone. It could be much worse than this.” Chow also sees the implications as critical. “Imagine if a service, a web service like Facebook or a power plant, goes down—you have no access or no power. How would you feel?”