Security expert Brian Krebs says the Internet of Things is to blame.
For hours yesterday, a slew of major websites — including Reddit, Twitter and Amazon, not to mention multiple Vox Media sites — were inaccessible to much of the United States and parts of Europe.
You may have already heard that this was the result of a massive “denial of service” attack, a well-established practice where attackers flood a target with so much fake traffic that real people can’t get in. But what’s unusual here is that Friday’s attackers were not focused on those specific sites, but rather on Dyn, an organization that helps other companies reroute their web traffic.
And adding to the weirdness: Your home security camera might have been partially responsible.
Security expert Brian Krebs has an excellent detailed breakdown of the outage on his website, but here’s the short version: That fake traffic has to come from somewhere.
According to several security firms, the attackers were using a type of malware that enlists insecure Internet of Things devices — reportedly, cameras and DVRs with components from the Chinese firm XiongMai — to do their bidding. Those devices, Krebs writes, could be turned into a zombie army even if their users had supposedly set a custom password to protect them:
That’s because while many of these devices allow users to change the default usernames and passwords on a Web-based administration panel that ships with the products, those machines can still be reached via more obscure, less user-friendly communications services called “Telnet” and “SSH.”
Telnet and SSH are command-line, text-based interfaces that are typically accessed via a command prompt (e.g., in Microsoft Windows, a user could click Start, and in the search box type “cmd.exe” to launch a command prompt, and then type “telnet” to reach a username and password prompt at the target host).
Krebs concludes that these insecure devices won’t be fixed unless a global recall to prevent them from connecting to the Internet. And this warning comes as the cost of stuffing web connectivity into all sorts of devices is getting cheaper by the day.
In other words, unless XiongMai (and anyone else whose components may be at fault here) steps up, this could very well happen again.