October 21st, 2016 began as another innocuous day for many yet ended up as one of the largest Distributed Denial of Service (DDoS) attacks ever to be unleashed upon the United States. The route of the attack was unprecedented however, through many of the things we enjoy every day in our modern connected world.
A typical Denial of Service attack by the most commonly accepted definition is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. A distributed denial-of-service (DDoS) is where the attack source is more than one, often thousands of, unique IP addresses. What made this attack unique is the route the attackers used to networks.
Many computer and network security experts are specifically concerned with the route and scale of the attack. Although many DoS and DDos attacks come every day, the October 21st attack used internet-enabled cameras as the platform for the attack. The vulnerability specifically exploited was manufacturer-based passwords that were never reset by the end user.
Consumers use thousands of devices that are now connected to the Internet like cameras, televisions, and the like. Oftentimes however manufacturer set passwords are either never changed by the end user, firmware is never updated after the point of purchase therefore never patched against newly discovered risks, or firmware is designed without the necessary security mindset and therefore introduce vulnerabilities from the date of manufacturer.
Each of these factors has many security experts very concerned. “This is just the beginning … There’s more coming, sadly — perhaps a power plant.” According to Sanjay Sarma, Professor of Mechanical Engineering at MIT who has done pioneering work on IoT systems. According to Jason Hong, associate professor in the Human Interaction Institute at Carnegie Mellon, “It’s very serious. There are just so many of these devices that are relatively weak and insecure”.
Just how vulnerable is the Internet of Things, or those devices we rely on that are connected to other systems? Consider Ex-Vice President Dick Cheney, whose heart assist device was wireless enabled, had this wireless access disabled for fear of malicious hacking and disruption. The U. S. Government acknowledges the threat and has held hearings however, new devices are being built and manufacturers are struggling to guard against this new vulnerability.
Ultimately, the results of this DDoS will be a renewed dialogue between government and private interests to create better tools for passive and active protections against future attacks. Associate Dean and Professor of New York Institute of Technology, Babk Beheshti summarizes, “If you can find an open port, you can establish communication with any server in a network…..but intrusions is much more devastating because, you’re inside the network – the damage could be permanent”.
This type of permanent damage is what those involved in network and computer security hope to prevent, especially since this DDoS attack is recognized as only a test fire of malicious programming and exploiting vulnerabilities, and much larger more distributed attack, perhaps on critical infrastructure is yet to come.