In late October 2016, a massive botnet made up of smart home devices attacked and disabled some of the most popular websites worldwide. Are we now at the peril of fridges, thermostats and your dad’s VCR?
A Comment by Felix Hüsken on the World of Botnets
Cyber Attacks 101
The attack (full list of affected websites here) followed a very common scheme. It works like this: when you open this page on your computer or phone, your browser sends a request to the Polis server to present the latest version of this article. The server can handle a certain number of such requests at the same time. But if it receives too many requests, it doesn’t know how to answer all of them and shuts down. That is called a distributed denial-of-service (DDoS) attack. It reacts similar to a professor in a lecture theatre who gets asked 300 different question about an upcoming exam by 300 students.
“Fridges, thermostats and your dad’s VCR” – yeah, right…
It is not just phones and laptops that can contact a server via a network. Any computer can reach all connected computers around the world as long as it has a connection to the internet. And any smart home device can contact a server as well, otherwise you would not be able to control them via an app on your phone. A single computer can of course rarely send as much traffic to overwhelm another computer. For a DDoS to work the attacker must therefore control many devices (the ‘distributed’ in DDoS) that request information from a server at the same time.
How were they able to control enough devices?
Controlling a computer implies bypassing its security measures, such as finding out username and password at the very least. Most security breaches are caused by careless producers and users. In this case, all devices used in the attack contained hardware produced by Chinese chipmaker Xiongmai. Each chip was protected by the same password. That is not unusual. The problem was that is was hard-coded in the firmware, meaning it could not be changed by a user. Not that a lot of users would have done so anyway even if prompted. However, anyone who has never changed the password for their WiFi router is equally susceptible to attacks.
The Mirai network
Once the password was known, a fairly simple computer code did the rest: it scanned the network for devices with the Xiongmai chip, logged in with the default username and password, and changed the code of the chip to receive instructions from the hacker’s computer. Afterwards, the device also started to scan for similar products with the same chip to attack. Over time the network – now called Mirai – grew to hundreds of thousands infected devices. It was also estimated that a new device with the same chip is infected within five minutes (!) of first connecting to the internet.
Why policymakers ignore the problem
To put it in a nutshell: it’s complicated. First, the current crop of top politicians still feel they are traipsing in uncharted territory on the internet (“Neuland”, Angela Merkel’s famous description of the internet during the NSA/Prism scandal, in German). Understanding botnets requires a lot more than a basic understanding of information systems architecture, how the internet works beyond your browser, and how devices are produced. The national cybersecurity strategy is a start.
Second, securing consumer devices requires American brands to work with Israeli researchers and Asian manufacturers. In short: some sort of international agreement would have to be worked out. However, a lot of attacks are state-sponsored. The Stuxnet virus used against Iranian uranium centrifuges was allegedly developed by the US and Israel, the attack on the US Office for Personnel Management allegedly perpetrated by China. National security interests, short-sighted as they may be, then trump cybersecurity for all. So next time you cannot access your favourite website, the gently humming machine in your kitchen might be the reason.
With this explanatory series, the Polis180 programme on Digitalisation & Data Security aims at building a basic understanding of technology, policy and the interface of both. All four programme areas will provide content in the fields of digital foreign policy, cyber attacks, internet governance and digital economy.
The Polis Blog serves as a platform at the disposal of Polis180’s members. Published comments express solely the authors’ opinions and shall not be confounded with the opinions of the editors or of Polis180. Image: http://bit.ly/2gtUZhd.