Last October, a virus crippled the networks of dozens of web pages, including Twitter, Amazon, Spotify and The New York Times. For more than 11 hours users could not access these sites because the service was saturated as there were too many devices trying to enter at the same time. The problem is that these devices were not people, but rather objects connected to the Internet (televisions, refrigerators, security cameras) that had been infected and were following the orders of a virus. Thus was created the first massive cyber-attack carried out using the Internet of Things.
Step 1. Detecting vulnerable objects
In an increasingly interconnected world, devices with Internet access are becoming more common and more diverse. In addition to computers and mobile phones, we have televisions, coffee makers, fire alarms and smart watches, among other things, that have access to the Internet and make our lives easier, but also compromise our safety if we do not protect them properly. This technological development has opened new avenues of action for cybercriminals, who take advantage of the lack of security of users in order to carry out their attacks.
In the case of this massive cyber-attack, the Internet of Things was the key focal point. Instead of infecting through e-mail and downloading malicious programs onto computers, as had traditionally been done, hackers detected and contaminated the devices that are most deficient in antivirus systems in order to gain control.
Step 2. Infecting devices with a dormant virus
In order to carry out an attack of this magnitude –the infection managed to saturate a website like The New York Times, an international reference newspaper undoubtedly prepared to deal with millions of simultaneous visits– cybercriminals had to infect thousands of objects and install a malicious file that remained asleep, waiting for instructions to start working. This task needs work and patience, the viruses were designed in great detail to reach the device and wait unidentified until the hackers gave the activation order.
Programmer Rob Graham tells Twitter how he tested and verified the operation of this same virus on one of his security cameras. After installing the camera and connecting it to the Web, cybercriminals took only 98 seconds to access and infect it. The speed with which the malicious file acts is amazing, especially considering that, in this case, Graham had taken the precaution of installing a firewall in the camera.
Step 3. Awakening the viruses
Thirdly, the hackers had to awaken all the installed viruses from their state of dormancy so that, simultaneously, they would order the device to access the same server. In this way they carried out a denial-of-service attack (DDS), which saturates the servers with useless data, so that it prevents real users from accessing the pages because of bandwidth overload. In this case, the attacked servers were those of the company Dyn, which is in charge of managing the addresses of the web pages.
The computer scientist who did the test with his camera discovered that the virus scanned the device, was responsible for collecting information about the processor and tried to download and install files that could be executed remotely. Presumably, those were the files that hackers activated to give the order to access web pages. While installing harmful files, the virus was searching for new victims by tracking its environment and trying to connect to other nearby objects with access to the Internet. This “army of bots” grows and multiplies day by day.
This was a targeted attack on web pages through relatively harmless objects, but through the Internet of Things, cybercriminals could also knock out the servers of critical infrastructure services like an airport, a nuclear power plant or a hospital. “We need systems that defend coordinated all the Internet connections of each person, since any device can become a key element to carry out attacks with consequences that could go further than leaving us without being able to listen to music online for a couple of hours,” explains Hervé Lambert, product manager at Panda Security.
Attacks using the Internet of Things are novel and experts predict that they will grow exponentially, just as the number of connected devices increases: in 2016 alone there were more than 6.4 billion objects with access to the Web. In fact, the ESET security forum has already established the hijacking of Internet-connected objects as one of the main cyber-threats of 2017.