A big cyberattack on Friday impacted Internet service on the East Coast of the United States and kept several high-profile websites offline. Cyber security attacks later in the day were more global in nature. But Oct. 21, 2016, will also be remembered as the day our physical security industry’s legacy of apathy toward cybersecurity came back to haunt us.
Denial of service attack
The cyberattack last week was carried out by a botnet, a network of bots, which are software applications (in this case, computer viruses) that communicate with each other and run tasks automatically over the Internet. Bots can infiltrate unprotected computers and then use the computing power of their “hosts” to carry out various kinds of cyber-attacks on other Internet targets. In the case of Friday’s attacks, a hidden army of bots worked together to bombard various websites with so many bogus requests that the sites became overwhelmed by the volume of traffic and could not respond to legitimate requests. It’s called a denial of service (DDS) attack.
Because of Friday’s attack, prominent websites such as Twitter, Spotify, and Reddit were inaccessible during periods of time throughout the day.
The problem for our marketplace – and the reason Friday’s attacks will forever highlight our historic apathy toward cybersecurity – is that many of the attacking bots in the scenario above were hosted by IP-enabled cameras and digital video recorders (DVRs). In other words, the bots used the computing power of our industry’s products to launch Friday’s headline-grabbing cyberattack.
The problem for our marketplace
Bots can infiltrate a computer or other device without any overt signs of trouble. A DVR, for example, can continue to operate as expected. The owner or operators of the equipment might not even know they have been infected. Because the equipment is still operating, no alarms are raised. The impact is only felt when those hidden bots are called to action (through their connecting network) to launch a cyberattack.
To be fair, cameras and DVRs were not the only devices hosting bots that were involved in Friday’s attack. Home networking gear, routers, phones and other connected (and hackable) devices were also involved. (Cybersecurity is an important consideration in the Internet of Things.)
Mirai Malware Program
Every device hosting a bot in Friday’s attack was infiltrated by a malware program called Mirai. Reportedly only 10 percent of existing Mirai-compromised hosts were involved in Friday’s event. It’s scary to consider how much damage can be done by a mere fraction of the bots out there waiting for their orders to attack. Increasingly, botnets are commodity resources that can be “rented out” by cyber criminals as tools for nefarious purposes.
How did the Mirai bots infiltrate their hosts? One factor was known default or weak credentials. In other words, host devices used their default login information and passwords. Failing to change the login and password when installing an IP camera or DVR was not uncommon in the days before physical security professionals began to wake up to the possible threats of cybersecurity. (It probably still happens today!)
It’s scary to consider how
We in the physical security market have only been talking about cybersecurity for a year or two, and equipment before that time was often installed without even a cursory consideration of cybersecurity.
Another aspect is that the virus infiltrated through telnet connections. Among today’s best practices is to turn telnet access “off.” But years of less-than-optimal installations are still out in the world, still subject to botnet infiltration, still part of the problem that was so dramatically demonstrated last week.
Ignorance towards cybersecurity
And how much effort are we making today to diagnose any possible malware infestation of existing cameras and DVRs in the field? The tendency is to ignore the possibility of malware as long as the equipment keeps chugging along. How much is our continuing complacency a factor in last week’s attack? Or next week’s? Or an even larger and more devastating attack in the future?
So far, much of the discussion of the impact of cybersecurity on our market has been theoretical. (Although there have been other actual events to consider.) Friday’s cyberattack will no doubt raise the urgency of these concerns, and (hopefully) accelerate our pace of addressing the issues. They demand our attention.