Posted on December 28, 2016 8:53 am

Why it was so easy to hack the cameras that took down the web

If you were anywhere near the internet in the U.S. on Friday (Nov 2016), you probably noticed a bunch of your favorite websites were down for much of the day. Now experts are saying it’s all because thousands of devices – like DVRs and web-connected cameras – were hacked.

Once the hackers had control over these devices, they manipulated them into sending an overwhelming number of requests to a company that serves up the websites for Netflix, Google, Spotify and Twitter. When the traffic became too much to handle, the sites crashed. It was an old-school attack – often called a distributed denial of service attack, or DDoS – powered by the new web of devices called the internet of things or IoT.

Security experts have been warning for a few years that internet-connected devices are susceptible to hacking. They just didn’t know exactly what hackers might do once they broke into your connected television, refrigerator or thermometer, for example. (Other than some disturbing hacks on baby monitors, that is.)

Now we have our answer, and it’s worse than what the experts imagined. Focusing on security cameras and DVRs that record footage in businesses outside of the U.S., hackers created an army of devices to take down large chunks of the internet.

It’s not all the device manufacturers’ fault. Websites and services will have to adapt and do more to prevent attacks like these from being so effective if we want to keep the internet up and running.
Here’s a primer on why the devices are so easy to hack, and how hackers turned them into a zombie army that attacked the internet.

How internet-connected devices are easily taken over

DVRs and security camera are connected to the internet. That’s on purpose, of course. This feature lets users access them remotely, along with anyone else they need to let in. It’s what lets users check in on security cameras when no one’s at home or at a business, and what lets manufacturers update device software without making a house call.

But this feature is also kind of a bug. Devices in the so-called internet of things are stupid-easy to connect to remotely by just about anyone, not just those with whom you want to share access.

If something is connected to the internet, it has an IP address. If something has an IP address, it can be found on search engines like Google and Shodan, a searchable registry of IP addresses with information about the connected device. Hackers can find hundreds or thousands of hackable DVRs and cameras just by entering some search terms. Then, they try to break in…

How hackers can break into your devices

Internet-connected devices often come with default passwords. Think you’re the only one whose username and password are “admin” and “admin”? Many, if not most, device makers don’t require you to set a unique username and password, so many people end up sticking with the defaults.
Hackers can find a list of vulnerable DVRs on search engines and try out that default password. If you never changed it, they’re in.

But even if you do change those defaults, hackers have other options. Advanced methods utilizing services called SSH and telnet let hackers force their way into your device, since changing the password on your device’s web app does not necessarily change the password coded into the device.
So while the camera was storing security video to prevent crime, hackers were quietly brute-forcing their way into the DVR and adding it to their army of attack soldiers.

So how did a camera take down Twitter?

To take over the cameras, hackers inserted Mirai, malicious software that lets bad guys use at least 100,000 devices as soldiers in its zombie army. That’s according to Flashpoint, a cybersecurity company that has been tracking the proliferation of Mirai across the internet of things since it was first used in a massive attack in September.

The technical name for this zombie army is a botnet, and hackers have been making them out of computers for a very long time.

Now that hackers can make botnets out of the internet of things, they have a more powerful tool to carry out attacks like the one that happened Friday. They used the botnet to send tons and tons of junk requests to Dyn, a company that manages web traffic for all the websites that were affected. Dyn couldn’t sort out the good requests from the bad, and as a result internet users in many parts of the US were cut off from a number of websites.

Now you know how an army of DVRs and cameras kept you off Reddit for most of Friday. We still don’t know who the hackers are and what they’ll do next. It also remains to be seen how websites will change their habits to prevent outages like the ones we saw Friday.

As for the manufacturers of internet-connected devices, there has been an interesting development. On Monday, connected-camera manufacturer Xiongmai said it will issue a recall of its devices caught up in the botnet army that attacked Dyn on Friday, according to Reuters.

If more companies follow suit, it might give manufacturers more reason to lock down cybersecurity on their devices before putting them up for sale.