News & Blog

How Hackers Used Smart Household Devices To Launch A Massive Online Attack

By Francis West on 27th October 2016
Filed under: Security

In a worrying change of tactics hackers have used the ‘Internet of Things’ (IoT) to launch an online distributed denial of service (DDoS) attack on the DNS service ‘Dyn’ with global consequences.

Domestic ‘Smart’ Household Devices Used.

Although DDoS attacks using botnets are certainly not uncommon the fact that this latest attack used smart household IoT devices as such as CCTV cameras and printers to launch last week’s attack does make it unusual, and cause for concern.

High Profile Customers of Dyn Among the Millions Affected.

Another reason why this latest DDoS attack received such attention in the media was because in attacking Dyn, some of the very large customers of Dyn were affected or temporarily put out of action including Twitter, Spotify, and Reddit. This is because Dyn’s service involves directing users to the internet address where websites are stored, and an attack on Dyn essentially disabled this function.

As well as the high profile names, it is estimated that tens of millions of internet addresses were affected in the attack which meant that the hackers were able to use household devices to cause a disruptive event on a global scale.

How Could Household Devices Have Been Used?

Security experts have said the common denominator in this case is that the household devices used were likely to have been made in China where they would have been given usernames and passwords that could be easily guessed but difficult to change by the user.

This vulnerability meant that malware (possibly ‘Mirai’) was used to scour the web for IoT device targets, and then to mobilise them to make up a giant ‘botnet’ of devices that were then all instructed to send requests to the target Dyn servers. The sheer volume of requests from the devices overwhelmed the servers, thereby causing the disruption to the service.

What Does This Mean For Your Business?

Fears about the IoT being potentially used in this way have been expressed for some time, and it seems that cyber criminals have found a way to harness the power of the IoT for bad on a grand scale before business has been able to find a way to harness its potential in a productive and good way. There are of course many smart IoT devices used in businesses and this attack shows that these can therefore be another vulnerable area that businesses may need to find an effective way to protect. Changing default passwords can help.

There is also a free online IoT Scanner available (from BullGuard) that can check if check if your internet-connected devices are accessible to the public on Shodan (a search engine for the Internet of Thing) and therefore whether they are vulnerable to hackers. Click here.

There is also a free guide (pdf) to the IoT here.