Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Insecure IoT Devices Were Hacked in Major Internet Outage

Insecure IoT Devices Were Hacked in Major Internet Outage

Lire ce contenu en français

Repeated DDoS attacks on Dyn, a company providing core services for Twitter, Reddit, PayPal, and other sites, caused major Internet outage between approximately 11AM UTC and 6PM UTC on October 21th, 2016. According to security firm Flashpoint, the attacks were built at least partially on the backs of hacked IoT devices.

Security expert Brian Krebs cited Flashpoint’s director of security research, Allison Nixon, as saying that at least part of the attack was launched by a Mirai-based botnet, an hypothesis which is also backed by Dale Drew, chief security officer of Level 3.

Mirai is a malware used to launch a 620 Gbps DDoS attack on Krebs’ website just one month before the attack on Dyn. Mirai tries to infect IoT devices by using brute force to exploit weak passwords and has been open sourced by its creator earlier this month. Analysis of Mirai source code has revealed that its bot part is written in C, while the command & control part is written in Go. Additionally, the password dictionary it uses for each targeted manufacturer, as well as a list of ignored IP ranges are all known. Interestingly, once Mirai hijack a device, it tries to eradicate any other malware that may be running, in an attempt to maximize the attack potential of the device and to defend itself from other malware that might be trying to do the same.

According to Nixon, at least one botnet used for the attack on Dyn was mainly made of compromised DVRs and digital camera by XiongMai Technologies, a Chinese OEM. It is still not clear whether other botnets took part to the attack.

One of the issues with Mirai is that users are usually not aware of SSH and telnet services running on their IoT devices. Additionally, remarks Will Dormann, senior vulnerability analyst at the CERT Coordination Center, often vendors do not make it easy for users to change those passwords. This means, as Krebs stressed, that until there is a global effort to recall all of the insecure devices, there will be millions of them that can be easily abused in attacks of the same kind.

Rate this Article