We broke the internet!

Not the IOT devices!!

The time map of the internet outage on 10.21.16 Source: Gizmodo

Roughly two weeks back, there was a massive internet outage. To go a little into details, a major part of the USA and a bit of Europe was not able to access a huge chunk of internet because Dyn, the company providing the DNS service was taken down by a massive DDoS attack.

This is the largest attack the world has ever seen. Bruce Schneier warned recently that someone is actively learning how to take down the internet. Source code of ‘Mirai’, the script used to launch the historically large 620 GBPS DDoS attack on krebsonsecurity.com is released online. Why would anyone release such a powerful thing for free? Kerbs says, some one is planning on spreading the DDoS disease and selling the cure.

Our world economy runs on internet, its a critical piece of infrastructure. Hackers carried out an attack of this scale by infecting thousands of insecure IOT devices left open on the internet. Using these compromised devices, they sent millions of requests per second to the servers till they melt. Now you don’t need a large network of computers to launch massive attacks. You can outsource it to these cheap, massive, omnipresent IOT devices.

I had a look at the source of “Mirai”, the script used in launching the attack. One of the interesting things I found is this.

you don’t need to know programming to understand this. do you ?

“Mirai” is basically trying out a combination of few usernames and passwords. Once any of these combinations match, it can login to the device, infect and use that device as part of its “botnet” to launch the attack. It’s that simple. Now the scary part is, these devices are in millions ranging from your security cameras to DVRs. Out of these at least a few thousands will match the defaults.

So, we, the end users of these IOT products are more responsible for the mishap than we think. Our ignorance or laziness to do the basic things like changing the default username and the password is the major advantage for the hackers.

Right now we have only few devices online. We are bringing in more and more daily, ranging from bulbs to refrigerators and cars. We are wearing some and even ready to go a step further and implant a few. A simple google search will reveal so many of these. So, in future there gonna be more rouge devices coming up online without built-in security.

Users have to become vigilant. To start with there are a few things we can do to secure our collective digital lives…

• Educate your self about the devices and their security implications. Its easier said than done. There is no right answer to it. But, we need to take bake steps in getting ourselves equipped with enough knowledge.
• First thing, be it any device, don’t bring it online if it does not needs to be. Just because there is an option don’t hook it to the internet and leave it. However secure the system is, hackers will be able to crack it down. They are a crazy bunch with lot of patience and time on their hand.
• If you have to bring them online, make sure they have the necessary security built into and you have followed all the necessary steps to harden it.
• Put pressure on the government to come up with more stringent security measures for the whole industry.
• Make corporations more responsible for the security aspects of the products they are manufacturing.

Once a wise man said, “With Great power comes great responsibility”. We have to educate ourselves to control these so called powerful smart devices and use them wisely. Let’s take responsibility of our devices and their online presence.