On Friday, Oct. 21, a massive attack against Dyn, which handles domain name system resolution for large websites like Twitter, SoundCloud, Spotify, Reddit and others, severely disrupted Internet traffic while the company got a handle on the problem.
According to a company statement from Dyn, “At this point we know this was a sophisticated, highly distributed attack involving 10s of millions of IP addresses… across multiple attack vectors and Internet locations. We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.” The outage lasted a few hours.
Many of devices in question have been traced back to a single company in China, XiongMai, according to Krebsonsecurity.com, “According to researchers at security firm Flashpoint, today’s attack was launched at least in part by a Mirai-based botnet. Allison Nixon, director of research at Flashpoint, said the botnet used in today’s ongoing attack is built on the backs of hacked IoT [Internet of Things] devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products.”
In other words, China has apparently been selling us cheap, unsecured “Internet of things” components that are installed in other products — devices that communicate with the Internet like closed-circuit TV digital cameras, DVRs, smart kettles and what not — that are now being weaponized into a massive distributed denial of service attacks by utilizing millions of connected devices into a coordinated assault
By legend, Lenin supposedly joked we’d sell the communists the rope they’d hang us with. But maybe it wasn’t a joke.
If these devices can be hacked to turn them into weapons, they can also be hacked into and compromised on their core functions. See, “Hackers remotely kill Jeep on the highway — with me in it,” July 21, 2015 Wired.com piece by Brian Greenberg for a taste of the terror that could be unleashed in our new interconnected world. In that example exploits against components in automobiles can be used to compromise a vehicle’s steering, brakes, acceleration and other critical functions that, nowadays, are entirely digital. Can you say recall?
But it’s not just cars. The range of “smart” devices include infrastructure like train tracks, bridges medical devices and more. How much of our critical infrastructure was made with cheap, unsecured Chinese crap?
Maybe connecting everything to the Internet is not so smart.
But it gets worse. Last month, Internet security expert Bruce Schneier warned the Internet’s infrastructure itself is being probed for weaknesses: “Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they’re used to seeing. They last longer. They’re more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure. The attacks are also configured in such a way as to see what the company’s total defenses are.”
Schneier adds, ominously, that “One company told me about a variety of probing attacks in addition to the DDoS attacks: testing the ability to manipulate Internet addresses and routes, seeing how long it takes the defenders to respond, and so on. Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services.”
Raising the question, if the Internet is being probed for weaknesses, does that imply a state actor is involved in the probing? What are they preparing for?
Perhaps we should be questioning where these devices are manufactured. What if a state military came to be involved in the manufacture of these devices? Ever since the manufacture of IBM personal computers was taken over by Lenovo, a China-based company, a decade ago, it has long been under suspicion of manufacturing hardware Trojans, installing hard-to-find malicious circuits and the like.
In 2014, new Lenovos were coming pre-installed with sophisticated spyware until it was exposed. Begging the question, what else is on these machines?
These concerns are apparently shared by the Pentagon, the Washington Free Beacon’s Bill Gertz reports, and is now warning against plugging any Lenovos into secure networks: “The Pentagon’s Joint Staff recently warned against using equipment made by China’s Lenovo computer manufacturer amid concerns about cyber spying against Pentagon networks, according to defense officials. A recent internal report produced by the J-2 intelligence directorate stated that cyber security officials are concerned that Lenovo computers and handheld devices could introduce compromised hardware into the Defense Department supply chain, posing cyber espionage risks, said officials familiar with the report.”
Disturbingly, the report also details evidence that Lenovo computers are already engaged in cyber warfare: “One official said Lenovo equipment in the past was detected ‘beaconing’ — covertly communicating with remote users in the course of cyber intelligence-gathering.”
“There is no way that that company or any Chinese company should be doing business in the United States after all the recent hacking incidents,” the official said.
But the problem could be bigger than simply devices in Defense networks or even in the U.S. As seen with the Dyn attack, if devices can be remotely commandeered, it might matter less where they are necessarily located. More than 137 million Lenovo computers have been sold commercially the past decade, accounting for about 7 percent of all computers in the world (the total number appears to be about 2 billion at the moment).
If millions of low-grade cameras can be leveraged in an attack, why not tens of millions of the best-selling laptop computers in the world connected to the Internet?
Perhaps this is what happens when a great nation outsources critical production infrastructure overseas. Maybe we should be more discerning about what it is we’re importing.
Whether it is insecure components in our DVRs or one-fifth of the current market for personal computers, the military applications are obvious, besides spying. If a state actor were going to take down the Internet, it might be at the same time, or shortly before, say, an attack in order to create confusion on the ground and to cut off communications. Then when the attack happens, access to information could be limited.
It may seem over the top, but if the Internet’s vital infrastructure is currently being probed for weaknesses, then we have to be prepared for the possibility of an attack, too — and the fact that we may have already paid for and installed some of the components that might facilitate it.
If there is a virtual Trojan horse in our midst, as Paris warned, perhaps it would be best to burn it before it’s too late.