Dyn Attack Carried Out Using Malware Which Turns Home Gadgets Into A Cyberweapon

Everything you need to know, and how to protect your home.

A major cyberattack took place over the weekend, it was targeted at a company called Dyn and while you’ve probably never heard of them until now, the likelihood is that you felt the effects.

The attack knocked out Spotify, Twitter, Amazon and even Netflix for hours with huge outages reported on a global scale.

For many security companies it’s their worst fears realised as it marks the first major instance where hackers have taken control of our smart home gadgets, and used them as a weapon.

PHOTOGraphicss via Getty Images

So what actually happened?

It was something called a Distributed Denial of Service Attack (DDoS), where hackers overload a website’s servers by sending unimaginably large amounts of traffic at it.

A great example is when you buy Glastonbury tickets: Every year the site crashes and ceases to function. It does this because there are more people trying to access it then can be managed.

In a DDoS attack, hackers will drive traffic like a battering ram towards the intended site and in doing so slow it down to the point of being useless.

To do this hackers will normally use either their own computing power or enlist other computers to send traffic by illegally taking them over with viruses.

This wasn’t a normal attack though, the scale of it was enormous.

To do this hackers utilised a powerful new piece of malware called Mirai. Mirai is incredibly dangerous for one simple reason, which is that it takes advantage of the Internet of Things.

There is a rising popularity to own 'Smart Home' gadgets such as this Family Hub fridge from Samsung.
There is a rising popularity to own 'Smart Home' gadgets such as this Family Hub fridge from Samsung.
Bloomberg via Getty Images

So many household items we own now use the internet in some way: smart fridges, security cameras, baby monitors and even your washing machine.

Very few of these devices are really that protected, so what Mirai does is hijack them and start forcing them to send huge volumes of traffic to the target.

Why were so many websites affected?

What happened this weekend was different to normal DDoS attacks. Normally criminals or state-backed hackers will target a single company or organisation.

In this instance, the attackers went after a company called Dyn, a DNS provider which effectively acts as the switchboard for many of the world’s biggest tech companies.

When you type in Twitter.com, Dyn is there making sure you end up going to the right site.

Unfortunately this makes Dyn an incredibly lucrative target, because if you hit the switchboard, then all the sites go down. This is one of the first times that an attack has been carried out in this fashion.

How can you protect yourself?

The truth is you won’t be able to stop hackers from knocking out Twitter or Spotify using DDoS attacks. What you can do though is both slow them down and also protect your home gadgets from being turned into a cybercriminals newest toy.

Here are 7 great tips from Chester Wisniewski at Sophos Security on how to protect your home:

  1. Many smart things support Wi-Fi so that you don’t have to plug them into your smartphone or computer every time you want to use them. If your home Wi-Fi router allows you to create separate guest networks to keep untrusted visitors off your regular network, make a special guest network for your “things” and connect them there.

  2. Many devices, such as video cameras, try to talk to your router to open up inbound holes so they can accept connections from outside. This makes it easier to access them from the internet, but it also exposes your devices to the rest of the world. Turn off Universal Plug and Play (UPnP) on your router, and on your IoT devices if possible, to prevent this exposure. Don’t assume that “no one will notice” when you hook up your device for the first time. There are specialised search engines that go out of their way to locate and index online devices, whether you wanted them to be found or not.

  3. Keep the firmware up to date on all of your IoT devices – patching is just as important as it is on your PC. It can be time consuming to figure out whether updates are available, but why not make a habit of checking the manufacturer’s website twice a year? Treat it like changing your smoke detector batteries: a small price to pay for safety and security.

  4. Choose passwords carefully and write them down if needed. Complexity is important, but so is uniqueness. Many IoT devices have been found to have bugs that let attackers trick them into leaking security information, such as giving away your Wi-Fi password. Remember: one device, one password.

  5. Favor devices that can work without the cloud. IoT “things” that require a cloud service are often less secure, and potentially give way more information, than those you can control entirely from within your home. Read the packaging carefully to determine whether permanent internet access is needed for the device to function. If it’s “all-or-nothing,” then you can’t try out the device on your own network first.

  6. Only network devices as much as you need to. If all you want from your TV is to watch broadcast television, you don’t need to connect it to the network at all. If you only want to control it or stream to it from your home network, it doesn’t need access to or from the outside. Eliminate unnecessary internet connections when possible.

  7. Don’t take your IoT devices to work or connect them to your employer’s network without permission from IT. Insecure devices could be used by attackers as a foothold into the organisation, and used to assist with data stealing and illicit surveillance. You could put your company and your job at risk.

Best Password Managers:

1Password is the 'Swiss army knife' of the group. It'll run on almost anything. It's also one of the easiest to use as well thanks to an ultra-simple interface. Rather than using autofill, 1Password uses extensions in Chrome, Firefox and Safari which gives you quick and easy access to your vault on any of your computers. The iPhone app uses Touch ID. This is a great all-rounder for the single user who just wants a complete solution.Price: $49.99 (Single license)
DashLane is the team player out of the three options here. Offering a similar user interface to 1Password, Dashlane is simple to use and powerful to boot. If you run a small business or even a big business however then this could be the service for you. With variable sharing options you can send passwords to colleagues that also have Dashlane while keeping the password secure even from them. All they have to do is accept, and the app will log them in to the service without them ever having to see the login credentials. It'll work on iOS, Android, Mac and Windows.Price: $39.99 per year.
LastPass may be last on the list but it's definitely not the least. This is the veteran password manager and as such has the most features. It'll run on every platform and through every site, it's also customisable to a professional degree with support for biometrics and almost any other authenticating technology you can think of. It may be a little more complex to use but once it's set up LastPass is arguably the most flexible in terms of creating a service that you want.Price: $12 per year

Before You Go