Smart Homes, Dumb Security

By on Dec 1, 2016 in Technology

On October 21, 2016, many of the world’s most popular websites were incapacitated by a series of distrishutterstock_309691097buted denial of service (DDoS) attacks. Users trying to blast off a tweet or listen to their favorite track on Spotify suddenly found themselves stranded on 404-error pages or stalled by perpetual “loading” messages on their browser. The culprit? Massive denial of service attacks overwhelming servers and cutting off access.

While DDoS attacks are actually quite commonplace (though not always as widespread), this time the method of was a little different. Rather than travel along traditional online pathways, the attackers commandeered all manner of unsecured Wi-Fi-enabled devices to turn the internet of things into a battering ram. By exploiting the security vulnerabilities of connected gadgets, from fridges to DVRs, the latest attack highlighted the smart home’s Achilles heel.

Major DNS host Dyn told CNBC in October the attack was “well planned and executed, coming from tens of millions of IP addresses at the same time.”

Taking Down Twitter

Why are DDoS attacks so effective? It starts the how Domain Name Services (DNS) work. The DNS operates in many ways like a traffic controller at a busy intersection. When users click a link to a webpage, the DNS directs that user to twitter. During a DDoS attack, the webpage itself is left unscathed, but all the roads leading to it are jammed with service requests in something akin to rush hour traffic. In effect, users are left stranded on the service highway, their destination in sight but with no means to get there.

As security expert Bruce Schneier explained in a recent blog post, “Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet.”

“These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down.”

Assessing the Damage

The October 21 attack incapacitated DNS providers across the US and Europe. Almost no type of website was spared, from consumer products to real estate listings to news sites. Pinterest, Zillow, Kayak, the New York Times…all found themselves cut off from users as the DDoS ambush spread across the western hemisphere. The entire event lasted for hours, and while the damage hasn’t been fully assessed, the greatest fear is what this level of infiltration means for the future of the internet.

This is because the October attack significantly differed from previous incursions by groups like hacker collective Anonymous. In the past, perhaps one individual website was incapacitated for a short amount of time, like CNN. In this case, the DDoS attack was massive, taking out “a major piece of the internet backbone for the entire morning – not once, but twice.”

“This event was not your conventional DDoS attack, writes Gizmodo’s William Turton. “ Instead, it seems to be the first large-scale attack using IoT devices.”

“Because of the estimated billions of available unsecured IoT devices,” he continues, “these attacks could allow for an unprecedented amount of DDoS power—enough power to take down major pieces of internet infrastructure protected by some of the best DDoS mitigation in the business. That’s exactly what we saw on [October 21].”

A New Era of Threats

Assessing the aftermath of the October attack, Gizmodo writer Turton warns of a bleak future full of political conspiracies and foreign hackers waging online war against their adversaries.

“Details of the how the attack happened remain vague,” writes Turton, “but one thing seems certain. Our internet is frightfully fragile in the face of increasingly sophisticated hacks.”

“This could be the beginning of a very bleak future,” he concludes. “If hackers are able to take down the internet at will, what happens next?”

Unfortunately, it’s the smart devices intended to make our lives easier that may pose the biggest threat. A new report by Akamai, a leading content delivery network (CDN) services provider, places the blame squarely on the shoulders of the Internet of Things. While the Akamai report acknowledges that DDoS attacks decreased by 8% in 2016, the number of mega attacks – attacks that consumer over 100 Gbps of bandwidth – increased by 58%, and it’s smart devices that are enabling hackers to harness this bandwidth.

Smart Things Security

To keep a home network clean and secure, Gizmodo’s Alex Cranz recommends following standard security protocol: change your password and turn on your router’s firewall. Unfortunately, that’s pretty much the entire scope of what consumers can do to mitigate attacks. Cranz points out manufacturers bear most of the burden of securing their devices and software. Until added levels of security are programmed into smart home appliances, says Blank, “you can expect to see more outages.”

“These devices have all become increasing popular over the last five years,” writes Cranz, “but the security they employ is too sparse.”

“That leaves them a ripe target for hackers, who can infect them easily and deploy them en masse for gigantic attacks.”

Cosmoso.net, on the other hand, isn’t quite so pessimistic. Pointing out that the October attack focused on one DDoS Service provider (Dyn), Cosmoso’s puts the emphasis on centralization rather than integration.

“Today, we saw a great example of the perils of monopolizing the net. A DDoS attack (distributed denial of service) that targeted one of the biggest DNS providers in the country ended up downing the websites of Twitter, Netflix, Amazon, Shopify, Spotify and thousands of other smaller businesses for a good 6 – 7 hours. That sounds scary, for sure. However, the fact that all the services affected were using the same DNS service, Dyn, means that internet businesses shouldn’t all be using the same services to run their websites.”

“Last I checked, the internet is so vast, with literally millions of new websites popping up every day, that it’s not even close to accurate to say that anyone can ‘take down the internet.’ If someone wanted to do that, they’d have to do something a lot bigger than a simple DDoS attack at a DNS provider.”