The biggest story in New Hampshire in the past week, from a certain point of view, was the DDOS attack on Dyn, the domain name service provider that has become such a presence in Manchester’s Millyard. I wrote about it in my column and discussed it on NHPR this week. The column is below, because I don’t want you to miss me reminiscing about being a Monty Python wannabe, but first, a couple of updates:
- Dyn has confirmed that the Mirai botnet was used in the attack.
- A reader pointed out that just because there were tens of millions on files sent to Dyn, that doesn’t mean tens of millions of devices were infected. Many sent multiple files.
- As of this writing, there is still considerable debate over who triggered the attack. Possibilities range from Russia preparing for cyberwar (as in this Slate piece) to a script kiddie (as in this Techcrunch piece).
- For what it’s worth, even federal lawmakers are taking notice.
- Could white-hat hackers stop botnets?
And here’s my column from Oct. 25, lightly edited:
Back in college, my friends and I were besmitten by the Monty Python comedy show on TV, as were half of the undergraduates in America, and we tried to emulate it with skits on the college radio station.
Performances by our group have been lost to time, fortunately, but I do recall one song titled “The Night the Appliances Came Alive.” In it, we warbled about an apocalyptic uprising by household gadgets, with lines like “the toaster chased me down the hall” and the Shakespeare-worthy couplet “the night the appliances came alive / I’m surprised that anyone survived.”
The song was feeble as humor, but it has proved impressive as fortune-telling, because it describes what happened in New Hampshire last Friday: Toasters chased the state’s hottest tech company down the hall, and I’m surprised the internet survived.
Sean Smith of Dartmouth gives me no points for prescience, however, because for years he and many others in the computer field have been warning us to prepare for something like last week’s attack on Dyn of Manchester. The attack, which shut down access to websites like Twitter and the Boston Globe for hours at a time, was a product of flaws in the Internet of Things, which is starting to look more like The Walking Dead.
“We’ve been waiting for it to happen,” said Smith, who is director of Dartmouth’s Institute for Security, Technology, and Society and teaches classes about computer security. “We, as computer scientists, the computer industry and community, have been rushing headlong into putting what are basically small computers connected to the network into all sort sorts of things – cars, Barbie dolls, thermostats, web cameras . . . without making them secure.”
That insecurity allowed somebody to use a fairly straightforward program called Mirai to install malicious software on tens of millions of devices like cameras, printers and routers (maybe even some toasters), creating a vast network of “software robots” known as a botnet. On Friday and Saturday, the botnet was told by unknown perpetrators to flood Dyn with gazillions of bits of internet data called packets, and the deluge repeatedly overwhelmed the company.
Dyn provides domain name services, sometimes called the address book of the internet, to a lot of huge customers. When it was overwhelmed by the distributed denial of services, or DDOS, our computers couldn’t use Dyn’s address book to find those websites anymore. They were effectively knocked off the internet until Dyn could work around the problem.
It’s not clear why Dyn was targeted or by whom, but there’s no reason to think that it couldn’t happen again. That’s bad, but Smith says it can get worse.
“All these devices that are compromised and can be used for traditional DDOS attack on web servers are intimately connected with physical reality, so they can be used not just to attack computer things, but also to attack physical things,” he said. “If they were used to, let’s say, shut down all the heating in large apartment buildings in the Northeast come this winter – well, that would be interesting.”
When a security expert says something is interesting, be very worried.
Worst-case scenarios involve network-connected medical devices that send updates over the internet and can be tweaked online, such as heart monitors (one of which is the subject of a lawsuit over this matter) and implanted pumps. It’s not inconceivable that patients could get an email saying “pay me 10 bitcoin or I’ll tell your insulin pump to kill you.”
It’s easy to imagine other nasty scenarios, too.
Perhaps Eversource could get a text message saying “pay us 10,000 bitcoin or we’ll packet-flood all your substations and leave New Hampshire in the dark.” Perhaps all Teslas will suddenly lose their brakes as part of a Russian cybersquad’s scheme to profit by short-selling the company’s stock. Or perhaps your networked washing machine will go berserk after a neighboring teen gets mad that you cut him off in traffic, because packages like Mirai don’t require a whole lot of hacking skills to be used.
Smith has a book coming out in a month or so discussing this problem, which he titled The Internet of Risky Things.
“A friend of mine joked somebody should write Unsafe at Any Speed for the (Internet of Things),” Smith said, referring to Ralph Nader’s famous book about automotive safety. “I realized that’s sort of what I had done.”
The book isn’t shy about the scope of the problem, to the point that the publishers, O’Reilly Media, were worried it was “too dark.” But Smith also makes a host of suggestions to tackle the problem, including standards and regulations, although none will be easy, cheap or quick because so many internet-connected devices already exist in the world.
Still, says Smith, we need to start. “It won’t be fixable if we don’t try to fix it – if we don’t try, we definitely will have that dark future.”
If you want to see the glass as being half full, perhaps events like the packet-flooding attack on Dyn will even hasten a solution by opening our eyes to the extent of the issue.
If nothing else, I promise it won’t make me try to imitate Monty Python again. Although, come to think of it, you could give “The Lumberjack Song” a botnet twist: “I’m the internet but not okay / My things are all / full of Mirai.”
Hmmm; needs work.