Dyn DDoS attack: How hackers may have hijacked your PVR to cripple the internet
The massive cyberattack that resulted in widespread outages for some of the world’s most popular websites Friday was carried out using a network of hacked “Internet of Things” devices, such as webcams and digital recorders.
That’s right, your PVR may have played a part in a massive distributed denial-of-service (DDoS) attack and you would have had no idea.
On Friday, Domain Name Server (DNS) provider Dyn was targeted with a large-scale DDoS attack, knocking its systems offline and causing widespread outages for websites including Twitter, Netflix, Amazon, Spotify and Airbnb. DDoS attacks are often used by hacker groups to bring down websites by flooding the site with requests until its servers crash.
The attack — which is now being investigated by the FBI and the U.S. Department of Homeland Security — was orchestrated by using malware to infect “smart” devices connected to the so-called Internet of Things. Those devices can range from webcams and DVRs to internet-connected kitchen appliances and smart thermostats.
READ MORE: What is The Internet of Things?
Hacker group “New World Hackers” claimed responsibility for the attack on Twitter and claimed that their network of infected devices was used to send 1.2 trillion bits of data every second to Dyn’s servers.
While the hacker group’s claims could not be verified, if true, it would make Friday’s attack one of the biggest on record. According to a report from the cybersecurity firm Verisign, the largest DDoS attack perpetrated during the second quarter of this year peaked at just 256 billion bits per second.
Chinese smart device manufacturer Xiongmai has now issued a recall for some of its products in the U.S. after many of its devices were used in the attack.
According to The Guardian, many of the parts Xiongmai used to build digital surveillance cameras featured little to no security measures, making them easy targets. The company said it would strengthen password functions for its devices and send users a patch for products made before April this year in order to fix some of the security holes.
However, the company said the biggest issue was customers not changing the default passwords for their devices.
How do hackers get into these devices?
Attackers target smart devices by using a piece of computer code that searches for internet-connected devices that use the manufacturer’s default setting.
That means, if you use a web-connected home surveillance camera and you have never changed the password, you may be targeted.
What can you do to protect yourself?
The easiest way to protect your smart devices is to change the admin password associated with the device — and make sure it’s hard to guess (i.e. don’t just change it from “admin” to “password”).
However, some security experts have raised concerns that these devices don’t make it easy for the average consumer to figure out how to change password information.
“The issue with these particular devices is that a user cannot feasibly change this password,” Flashpoint security expert Zach Wikholm told KrebsOnSecurity. “The password is hardcoded into the firmware, and the tools necessary to disable it are not present.”
READ MORE: Connected ‘things’ face hacking on Internet
One thing you can do is change the password on your home router in order to better protect the devices using your home Wi-Fi connection.
“If [the device] connects through your home router, that needs to be properly configured. Changing the default user name and password is a good start,” ESET senior security researcher Stephen Cobb told Global News.
“Using a strong, unique, hard-to-guess password will improve resistance to hacking. But you also need to turn off remote discovery services, something you do with your router’s configuration console.”
You should also make sure your router has the latest firmware update installed — you can check for any updates by going to the manufacturer’s website (Nexus, D-Link, etc) and check for any available downloads.
— With files from The Associated Press
© 2016 Global News, a division of Corus Entertainment Inc.