Granite Geek: The DDOS Attack on Dyn and the Internet of Things

Oct 25, 2016

Last week, the Manchester-based company Dyn was the subject of a DDOS cyberattack that brought down major websites like Twitter and the Boston Globe for several hours. It’s the kind of attack that can essentially hijack devices connected to the internet and turn them all against a specific target.  And it can happen again.

For more on this we turn to David Brooks. He’s a reporter for The Concord Monitor and writer at Granitegeek.org and a regular guest here on All Things Considered. He spoke with NHPR’s Peter Biello.

Give us a brief overview, if you could, of how a DDOS or distributed denial of service attack, happens.

The name actually kind of explains it. It’s a distributed attack, which means it comes from lots and lots of places at once. In the case of the attack that hit Dyn, it was really big. We’re talking about millions, maybe even tens of millions of different sources, different IP addresses.

It’s a denial of service attack, which basically floods you. It’s the equivalent of somebody sending you so much spam in your inbox that you can’t even open it anymore. It denies them the ability to provide services by overwhelming services.

And these tens of millions of computers that overwhelm, they don’t do it knowingly. They have software that enables someone to operate them knowingly. So it could be one person that targets a specific thing.

It could be one person, an organization, multiple organizations, it could be gangs or Russians or a smart, bored teenager [who has been spending] time sticking these packages into the “internet of things” which is where this gets particularly alarming.

Why?

The internet of things are like web cameras or smart thermostats or even some medical devices—actual objects that are connected to the internet that can send information out to the internet and can take information in.

If you get software snuck onto these devices—say, if it’s a thermostat that’s supposed to tell your smartphone what the temperature is at home, but instead you’re telling the thermostat to send a DDOS attack somewhere.

So essentially you’re saying that someone—a bad actor, a hacker—could gain control of something like a dialysis machine and say to someone who is using that machine, “Give me X amount of money in whatever currency, Bitcoin, whatever, or I will turn off your dialysis machine.”

That’s the real scary possibility. Obviously that’s not what happened here. I’m not sure there are dialysis machines are on the internet. I was thinking of insulin pumps or an implanted heart monitor. There’s actually a lawsuit about this, where they’ve been hacked. They send signals back and forth to the doctor so the doctor knows how your heart is doing.

The possibility exists down the road that these bad guys can say—it’s called “ransomware.” That’s  software that can hold you for ransom. There’s ransomware that can lock down your computer.

There’s no reason that there couldn’t be ransomware in the internet of things which says that, if you ever want your networked washing machine to work, give me five Bitcoin, or give me ten Bitcoin or I’ll make your insulin pump kill you. That hasn’t happened that we know of but that’s the sort of alarming possibility that has many people worried.

So is preventing these attacks simply a matter of fixing software, or is there some other kind of societal change that we may need to make to prevent these attacks?

Well you can’t just fix software because there are too many different kinds from too many different companies, some of which have gone out of business. It’s already complicated.

There are standards that can be developed for security systems to be integrated. There are certainly things that can be done to lessen the impact but the problem is already out there and we need to work on it fast, before it gets worst.

Frankly, the severity of the attack on Dyn—Dyn is easily the hottest tech company in New Hampshire and they’re very well-respected and the fact that they were taken down shows just the size of the attack. Nobody was surprised that a DDOS attack on a network provider like Dyn, but the size and the ferocity of this one was a surprise and it just shows how bad the situation already is.

Is this just something we’re going to have to get used to—the possibility that this could happen at any time?

For me, I like to avoid network devices. I’d never get a networked thermostat. The possibility of being able to turn up or down my thermostat on my smartphone is not worth the potential problems that could come with it being on the internet. My assumption is that it’s probably not secure enough. It’s a tradeoff I would never make.

So yeah, we’re going to have to live with it, and talk to our legislators at times and say, “What are you going to do about it?” and be a smart consumer as much as possible.