Last week’s massive distributed denial-of-service (DDOS) attacks, which made popular websites and services inaccessible to users across the East Coast and elsewhere, has since led to widespread concern about insecure Internet-connected devices and calls for government agencies to get involved in order to ensure those devices are secured against future attacks.
In fact, the attack against DNS provider Dyn, which happened just six days ago, has already become the most talked about target tied to “service interruption” in all of 2016, according to SurfWatch Labs’ data.
Friday’s DDoS attack against Dyn is concerning for several reasons. First, reports have claimed the attack reached 1.2 terabytes per second. If true, that would make it the largest DDoS attack ever. Second, Dyn confirmed yesterday that the Mirai botnet was a primary source of malicious attack traffic. The source code for that botnet was made public earlier this month, and last week Level 3 Threat Research Labs said that the number of Marai bots it had observed had more than doubled since the code was released. Finally, some researchers have claimed the attack was carried out by amateur hackers, not sophisticated state-sponsored or financially-motivated actors.
That combination suggests that more attacks like the one against Dyn will occur in the future, adding to a trend that SurfWatch Labs has observed throughout the year of increased evaluated intelligence around the service interruption tag.
The Marai-driven attacks have also put one company as the face of the Internet-of-Things problem, unfairly or not: XiongMai Technologies.
XiongMai Technologies is a Chinese electronic company that makes products used in a variety of brands, including DVRs and cameras tied to the recent DDoS attacks. XiongMai said on Monday that it would issue a recall of some of its U.S. products, although it’s unclear how successful that recall will be.
Like Yahoo, Wells Fargo and other companies tied to major cyber incidents this year, XiongMai Technologies and manufacturers of Internet-connected devices have now moved onto the radar of politicians and regulators. On Wednesday, Virginia Sen. Mark Warner sent letters to the Federal Communications Commission, Federal Trade Commission and the Department of Homeland Security’s National Cybersecurity & Communications Integration Center about his “growing concern” over the “unprecedented” volume of DDoS attacks driven by the Marai botnet exploiting connected devices.
“[O]ver 500,000 connected devices were vulnerable to Mirai because of an exploitable component from a single vendor’s management software,” Warner wrote. “Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support.”
The letter continued: “DDoS attacks can be powerful tools for censorship, criminal extortion, or nation-state aggression. Tools such as Mirai source code, amplified by an embedded base of insecure devices worldwide, accomplish more than isolated nuisance; these are capabilities – weapons even – that can debilitate entire ranges of economic activity.”
Warner provided a list of questions on how to potentially deal with the issue of insecure Internet-connected devices, including ways to make consumers more aware of the risk, trying to work with ISPs to designate insecure devices and deny them connections to their networks, and establishing and enforcing minimal technical security standards.
“I am interested in a range of expert opinions and meaningful action on new and improved tools to better protect American consumers, manufacturers, retailers, Internet sites and service providers,” Warner said.
Being thrust into the spotlight is an unusual situation for XiongMai, a company whose brand tends to remain behind the curtain of its “white label” products, which are sold and then incorporated into other brands’ offerings. Accurately gauging the potential fallout to companies such as XiongMai is difficult, but it’s safe to say that no company wants to be referenced, even indirectly, as the poster child for “cheap, insecure” devices. However, the recent DDoS attacks powered by the Marai botnet — against Krebs on Security, OVH and now Dyn — are quickly on their way to becoming the most discussed cybersecurity stories of 2016, and XiongMai and other manufacturers of connected devices are along for that ride.