A Chinese electronics manufacturer admitted that its products inadvertently contributed to last week’s massive cyberattack that knocked popular Web services offline.
On Friday, a number of major sites—Twitter, Etsy, GitHub, SoundCloud, Spotify, Shopify—experienced outages as the result of a DDoS attack on DNS provider Dyn. One big part of the problem: the Mirai botnet, which scours the Web for poorly protected IoT-connected devices and enlists them to overwhelm a target with online traffic, causing an outage.
“We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack,” Dyn said in a statement.
In this case, a Mirai-based botnet latched onto hacked DVRs and IT cameras made by Hangzhou Xiongmai Technology, which used weak factory-default usernames and passwords to safeguard its products.
“Mirai is a huge disaster for the Internet of Things,” the Chinese firm told Computerworld. “[We] have to admit that our products also suffered from hackers’ break-in and illegal use.”
Xiongmai patched its flaws in September 2015, the company told Computerworld. Its devices now ask customers to change the default password upon first use, but products running older versions of the firmware remain vulnerable. As a result, they should update and change the default username and password. Folks can also disconnect the gadget from the Internet altogether.
Xiongmai Technology did not immediately respond to a request for comment.
Friday’s disruption “globally might be the beginning of a new era of Internet attacks conducted via ‘smart’ things,” Chester Wisniewski, principal research scientist from Sophos, said in a statement. “Clearly they aren’t as smart as we think, if they can be so easily commandeered by random deviants from the Internet to impact major services like Twitter, Reddit, and Spotify.
“There are [tens] of millions more insecure ‘smart’ things that could cause incredible disruptions, if harnessed,” Wisniewski added.
DDoS attacks skyrocketed in 2015, and don’t show any sign of slowing down. Security researcher Brian Krebs last month became the latest high-profile victim when his website suffered “a historically large” raid, which he claimed was revenge for exposing two hackers who provided DDoS services. Now that the source code behind the raid has been released online, Krebs suggested “the Internet will soon be flooded with attacks.”