Internet of Things Hack Levels Websites
By hijacking internet-connected DVRs, cameras and other devices, hackers are able to power massive web attacks.
Your webcam could be harnessed to do evil. Hackers have found a way to hijack thousands of internet-connected routers, DVRs, thermostats, cameras and other Internet of Things (IoT) devices, enslaving them as so-called botnets to attack websites. Such an attack is called a Distributed Denial-of-Service, or DDoS for short, and it happens when software in the co-opted devices simultaneously floods a web server with requests, overloading it until it shuts down.
Last week, the hosting service OVH experienced the single largest DDoS attack ever recorded. More than 150,000 IoT devices, including cameras and DVRs, powered the incident, according to a report at Security Affairs, forcing one terabyte of information per second -- that's 1,000 gigabytes -- down OVH's throat. Not surprisingly, it choked.
The OVH take-down was the latest in a string of IoT-powered attacks that have security experts deeply concerned. About a month prior, cybercrime investigative reporter Brian Krebs had his website knocked offline by a similar offensive. According to a report over at Forbes, the security company protecting Krebs' site, Prolexic, was forced to disconnect KrebsOnSecurity.com after the event. The site is now back up, having been folded into Google's Project Shield service, which is designed to protect activists and journalists from DDoS attacks.
WATCH VIDEO: Is the Internet a Right or a Privilege?
In a darkly ironic twist, KrebsOnSecurity.com broke the news over the weekend that an anonymous hacker had publicly released the source code for Mirai, a malware that continuously crawls the internet looking for IoT devices that can be turned into botnets. Krebs wrote:
The source code that powers the "Internet of Things" (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.
Another program called Bashlight works similarly to Mirai, gaining access to the device through factory default usernames and passwords. The availability of these pieces of malware could allow relatively unsophisticated hackers to pull off similar DDoS assaults with ease.
In an essay on his site, Krebs points out how a DDoS attack is a nefarious method for stifling freedom of speech. Without Project Shield, Krebs might have had to pay upwards of $250,000 annually to protect his website. "Ask yourself how many independent journalists could possibly afford that kind of protection money?" he writes.
Not many. Likely, not anyone.