Hackers used “smart” home devices connected to the internet as weapons in the cyber-attack against internet performance company Dyn, security experts said.
Security specialists consider the Friday distributed-denial-of-service attack (DDoS), which shutdown popular websites such as Twitter, Spotify, Netflix, Reddit and Amazon was carried out using CCTV video cameras, digital video recorders and other similar devices.
Security firm Flashpoint confirmed the attack used “botnets” infected with a form of malware known as “Mirai” to access an “Internet of Things” made up of various internet-connected home devices, according to the BBC.
“Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate genuine visitors or users,” cybersecurity expert Brian Krebs wrote on his blog.
Allison Nixon, director of research at Flashpoint, told Krebs the majority of the devices involved in the attack on Dyn used digital video recorders and IP cameras made by Chinese company XiongMai Technologies.
“It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said.
Krebs, whose website was targeted by a similar attack in September, said the XiongMai devices are “essentially unfixable” and will remain a danger to others unless they are totally removed from the internet.
“The issue with these particular devices is that a user cannot feasibly change this password,” Zach Wikholm of Flashpoint said. “The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist.”
Security firm Flashpoint confirmed a form of malware known as Mirai was used to hack products made by Chinese company XiongMai Technologies. The devices feature factory-default usernames and passwords that cannot be changed, making them vulnerable to being hacked and used to hurl junk traffic in order to shut down online services. Any number of home devices could be used in such attacks – so long as they’re connected to the internet.
What do you think about the future of smart home devices security? Share your thoughts with us 🙂