Hacked web cameras enabled cyber attackers to take down multiple high-profile websites

Hacked webcams shut down Twitter and Paypal, sparks IOT concerns

Image credit: Wikimedia Commons

A major cyber-attack that used hacked web cameras and shut down high-profile websites including Twitter, Spotify and PayPal on Friday, has stirred the debate about cyber security of the Internet of Things (IOT) and smart home technology.

The 'denial of service' attack, which affected users on the US-east coast and in Europe, primarily targeted the US domain registration service and infrastructure provider Dyn.

Reuters described the attack as “a stunning breach of global internet stability” and said it alarmed cyber security experts, as it represents the first case when simpler connected devices including webcams and digital recorders have been used to perform such a high-profile attack.

Cyber security experts have been complaining for years about vulnerabilities of IOT devices, smart home technology and the lack of manufacturers’ concern, but until Friday, the issue had been outside the mainstream debate.

The Friday attack, which affected Airbnb, the Verge, Reddit and Amazon among others, exploited vulnerabilities in devices made by Chinese firm Hangzhou Xiongmai Technology. The firm issued a recall of products sold in the USA, but said the issue was mostly due to users not changing default passwords.

“Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too,” the company statement said.

The company said it will start using stronger passwords and urged its customers to immediately update existing passwords.

There is a growing range of so-called smart products including thermostats, baby monitors and even household appliances that can be connected to the internet. However, while most users would run an antivirus on their computers and phones, few would bother to think about the vulnerabilities of their smart gadgets. Manufacturers usually pay little attention to the problem either.

Frequently, hackers can gain access to devices via unprotected home routers. Home routers in general present another major vulnerability, according to Ondrej Filip, CEO of Czech domain administrator NIC.cz, which carried out a large-scale cyber security research project exploring vulnerabilities of home networks.

“If you look at an average router you can buy from a shop, it comes with firmware that is not designed to ever be updated,” explained NIC.cz CEO Ondrej Filip. “But routers are quite easy to hack and there have been a lot of examples in the past of vulnerabilities that have never been fixed.”

Filip said the firm saw examples of massive cyber-attacks carried out via hacked home routers. The routers, hacked by a massive botnet, were working in sync, trying to guess passwords or sending data packets in a denial of service attack.

At the CES Unveiled event in Prague last week, NIC.cz unveiled what they described as the first hack-proof router designed to protect home networks and devices against cyber-threats.

The Friday attack also exposed the vulnerability of relying on too few domain name service (DNS) providers, which manage internet traffic of its users.

“We have advocated for years for redundancy in your infrastructure,” said Kyle York, chief strategy officer for Dyn, the New Hampshire DNS provider that was attacked on Friday. He further added that clients who used multiple servers “saw less of an impact.”

Using multiple DNS providers can, however, make managing traffic more complicated and costly, experts said.

The perpetrators of the Friday attack are yet unknown.

The Friday attack was carried out via hacked web cameras. Cyber security researcher James Lyne told E&T that hacking a web camera is no big deal: 

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles