Insecure IoT Devices Were Hacked in Major Internet Outage

| by Sergio De Simone Follow 17 Followers on Oct 22, 2016. Estimated reading time: 1 minute |

Repeated DDoS attacks on Dyn, a company providing core services for Twitter, Reddit, PayPal, and other sites, caused major Internet outage between approximately 11AM UTC and 6PM UTC on October 21th, 2016. According to security firm Flashpoint, the attacks were built at least partially on the backs of hacked IoT devices.

Security expert Brian Krebs cited Flashpoint’s director of security research, Allison Nixon, as saying that at least part of the attack was launched by a Mirai-based botnet, an hypothesis which is also backed by Dale Drew, chief security officer of Level 3.

Mirai is a malware used to launch a 620 Gbps DDoS attack on Krebs’ website just one month before the attack on Dyn. Mirai tries to infect IoT devices by using brute force to exploit weak passwords and has been open sourced by its creator earlier this month. Analysis of Mirai source code has revealed that its bot part is written in C, while the command & control part is written in Go. Additionally, the password dictionary it uses for each targeted manufacturer, as well as a list of ignored IP ranges are all known. Interestingly, once Mirai hijack a device, it tries to eradicate any other malware that may be running, in an attempt to maximize the attack potential of the device and to defend itself from other malware that might be trying to do the same.

According to Nixon, at least one botnet used for the attack on Dyn was mainly made of compromised DVRs and digital camera by XiongMai Technologies, a Chinese OEM. It is still not clear whether other botnets took part to the attack.

One of the issues with Mirai is that users are usually not aware of SSH and telnet services running on their IoT devices. Additionally, remarks Will Dormann, senior vulnerability analyst at the CERT Coordination Center, often vendors do not make it easy for users to change those passwords. This means, as Krebs stressed, that until there is a global effort to recall all of the insecure devices, there will be millions of them that can be easily abused in attacks of the same kind.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Tools to scan and detect compromised devices. by Richard Clayton

Does anyone know if there is a toolset to scan the network for compromised devices? Myself and others are afraid that we might be contributing to these attacks.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

1 Discuss

Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you