Indeed, the conclusion of analysts is that the attack was most likely carried out not by a hostile nation state or sophisticated cyber criminals looking to extort money from large websites, but by “script kiddies” who used the Mirai malware source code after finding it posted publicly on the website Hackforums.
And this latest attack confirms that a massive compromise of those devices is not just a threat to the individual owners, but to the entire structure of the Internet. While laptops have been used to create botnets for years, IoT devices are much more attractive, since there are so many more of them, and many of them are on all the time.
Reportedly, webcams and DVRs were the main devices used in this attack. But other IoT devices range from toasters to alarm clocks, pressure sensors, valves, thermostats, light bulbs, refrigerators, door and window locks, vehicles, printers, medical devices on up to the power grid. They’re all called “smart.” But they have not been built smart enough to protect themselves and their owners.
Current estimates are that there are somewhere between 13 billion and 18 billion IoT devices now in use.
Still, while security experts are not surprised, others apparently are. US Sen. Mark Warner (D-Va.), cofounder of the Senate Cybersecurity Caucus, sent a letter last week to the Federal Communications Commission (FCC), the Federal Trade Commission (FTC) and the Department of Homeland Security’s National Cybersecurity & Communications Integration Center (NCCIC), expressing alarm at the Dyn attack and calling for everything from government alerts to retailers and consumers about insecure IoT devices (which would include most of them) to keeping insecure devices off the internet by denying them IP addresses.
Warner’s staff said he was unavailable, and declined to comment on why such a letter wasn't sent years ago.
There were also calls from several Silicon Valley-based cybersecurity venture capitalists for IoT devices to use standardized encryption and other security measures.
Bob Ackerman, founder and managing director of the cyber venture capital firm Allegis Capital, acknowledged that exhortations like these are late in coming. But he said some of it is simply due to human nature – until something catastrophic happens, people are in denial.
After an attack like this, “people come to life in feigned indignation,” he said, acknowledging that since the attack was so predictable, “the outrage is misplaced.”
But he said an attack of that scale might have the benefit of finally awakening a push for better IoT security. “One of the fundamental challenges is that they (IoT devices) are designed to be functional, at price points that limit the capability to be updated in the field. And that is a minefield of massive proportions.”
Sign up for CIO Asia eNewsletters.