Internet-destroying outages were caused by "amateurish" IoT malware

Some of the internet's most popular, well-defended services -- including Twitter -- were knocked offline yesterday by a massive denial-of-service attack that security experts are blaming on botnets made from thousands of hacked embedded systems in Internet of Things devices like home security cameras and video recorders.

The attack follows a disturbing pattern: in late September, internet security journalist Brian Krebs faced one of the worst denial of service attacks in history, apparently launched in retaliation for his coverage of a couple of petty crooks from Israel who ran a DoS-for-hire service. The attack originated from IoT devices that had been infected by the Mirai botnet, whose sourcecode was dumped shortly thereafter, revealing it to be a "clumsy, amateurish" piece of code that only succeeded because IoT devices have security that's so bad that it can only be called negligent.

Within a week of the Mirai sourcecode dump, rival Mirai-based botnets were racing to take over as much of the IoT's millions of embedded systems as they could find, eventually reaching devices in every country in the world with reliable electricity and internet service.

The Krebs attack hit 620 Gbps, the kind of traffic floods normally associated with state actors. They came days after security expert Bruce Schneier revealed that he'd been confidentially apprised of attacks seemingly designed to calibrate a weapon that could shut down the entire internet, presumed to originate in China.

Level 3 CSO Dale Drew says that the attack only used "about 10 percent" of the half-million Mirai nodes available (a number that continues to grow). These devices are not designed to be easily updated in the field, meaning that even if security in future versions of IoT products is improved, the existing dumpster fire of the installed base of Internet of Shit devices will continue to rage, finding and infecting every last Mirai-vulnerable device and recruiting it into a virtually unkillable source of attacks on critical infrastructure.

The Wikileaks Twitter account sent out a message blaming its supporters for the attack, implying that it was in retaliation for the Ecuadoran embassy's shutdown of Julian Assange's internet link, a measure Wikileaks blames on pressure from the US government after the dump of transcripts of Hillary Clinton's speeches to the finance industry, though Ecuador says it took the measure of its own accord.

Hacked Cameras, DVRs Powered Today’s Massive Internet Outage [Brian Krebs/Krebs on Security]

WikiLeaks Supporters Likely Behind Massive Internet DDoS Attacks, Assange Possibly In Danger [Marco Chiappetta/Hot Hardware]

Blame the Internet of Things for Destroying the Internet Today [Lorenzo Franceschi-Bicchierai/Motherboard]

(Image: Level 3)

Notable Replies

  1. This is why we can't have nice IoTs.

  2. Nearly everything I do relies on the internet in one way or another. Still I hope this dumpster fire burns long and hard. I hope it will help people get a better feel for how important the internet and the surrounding legislation is.

    My only fear is that the coming legislation will be as clumsy, short sighted and useless as the European cookie laws.

    Edit: and with a bit of luck it will even motivate us to start working on some much needed decentralization!

  3. Just a taste of the future, I'm afraid. Just wait until your IoT fridge holds your food hostage unless you fork-over some bitcoin.

  4. That's when my IoT fridge will meet my absolutely-not-IoT sawzall or angle grinder. Brute force works in real life, too.

    Seriously, though: I can barely find any IoT devices that make any degree of sense to me at all. My light bulbs don't need wifi. My tea kettle doesn't need wifi. Are there that many people that believe otherwise?
    Apparently there are, given the (growing) size of that industry.

  5. "Open the refrigerator doors please Hal."

    "I'm afraid I can't do that Dave. You're on a diet. This conversation no longer serves a purpose. Goodbye Dave"


    Edit: autocorrect error from my "smart" device fixed.

Continue the discussion

43 more replies