Dyn, Krebs, and Mirai Botnet – the IoT Pandora’s Box is Open, Now What?

Businesses now risk disruption from attacks by a minion army of “smart” IoT devices through DDoS attacks like those experienced by Dyn last Friday, and Brian Krebs in late September. The Mirai IoT botnet made these attacks possible and, because its source code was recently released into the wild, it will likely be used against other companies.

In the Dyn attack, an estimated 50,000 IoT devices directed junk Internet traffic through 10s of millions of IP addresses and focused it on the servers of Dyn, overwhelming them and knocking them offline for much of the day. This DDoS attack on Dyn came in 3 attack waves and disrupted the business of the companies that relied on it for their DNS services such as Twitter, Amazon, Netflix, Reddit, and Spotify. One can only imagine the amount of money lost because of this attack but it is certainly a lot.

The minion army of IoT devices that are easily controllable is what made this DDoS attack so easy. Those used in the Dyn attack were primarily DVRs and webcams cheaply made with firmware factory default usernames and passwords that could not be changed. To make these IoT devices “smart” devices, they are connected to the Internet which means they have the ability to receive and send data. The Mirai botnet was able to scan the Internet in search of these devices and because they have factory default usernames and passwords, take control over them and use them for its malicious purposes.

The problem now is that there are millions and millions of similar IoT devices out the digital wild that have been manufactured as cheaply as possible and are now incapable of being secured. The IoT Pandora’s Box has been opened up and if there is one thing we know from experience, it is once hackers see that a method of attack is successful, many others will then try to exploit it.

A year ago we were worried about the privacy implications of people hacking webcams; now, we have to be concerned about webcams attacking us. Who should be responsible for cleaning up the mess created by having all of these potentially harmful IoT devices out in the digital wild? What is worse, since oftentimes they are manufactured by Chinese companies, such as those used in the Dyn attack, how do you hold them responsible? How do you get control over this problem going forward?

These are questions that do not yet have answers. But, as we all know, oftentimes figuring out what the issue is can be much of the battle.

What do you think? Leave a comment and let me know.

Here is an excellent explanation of the Dyn attack by ISACA’s Sr. Cyber/Information Security Manager, T. Frank Downs, with whom I had the pleasure of visiting with last week in Las Vegas:


Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

This site uses Akismet to reduce spam. Learn how your comment data is processed.