The United States is defenseless against another massive cyberattack like Friday’s internet interruption, experts warn.
The same superweapon that crippled much of the internet last week could be used to prevent Americans from filing their taxes online or signing up for Obamacare. It could be used to stop major news networks and websites from reporting the nation’s election in two weeks.
That’s because too many computerized devices have little to no security built into them.
“Security was never an integral part of the internet. It wasn’t a consideration,” Director of National Security James R. Clapper told the Council on Foreign Relations on Tuesday. “We’re kind of paying the price for that now.”
Faced with such grim scenarios, U.S. Senator Mark Warner asked the Federal Communications Commission on Tuesday about establishing “minimum technical security standards.”
He also asked if the major internet service providers — like AT&T, Comcast and Time Warner Cable — could legally start blocking devices deemed “insecure.”
The U.S. government still doesn’t know who carried out the cyberattack. But it does know how this new weapon — named Mirai — carried it out.
It was a Distributed Denial of Service (DDoS) carried out by more than 493,000 internet-connected devices, mostly commercial surveillance systems. This arsenal is the equivalent of half a million tiny guns. When all are pointed in the same direction, they become a megacannon. Whatever it shoots, it overwhelms. It can knock a website offline, or stop communications at a hospital or a government agency.
“We’re clearly facing a new class of weapon that we can’t defend against,” said Adrian Sanabria, a cybersecurity analyst with 451 Research. “Death Star class.”
This was possible because so many internet-connected devices have default passwords that have been exposed or are easily guessed.
For years, security experts have warned that we’re connecting too many devices to the internet — cameras, light bulbs, baby monitors — without properly securing these minicomputers.
Joshua Corman, a cybersecurity expert at the Atlantic Council think tank, said Friday’s attack is a result of our “security debt.” And it’s time to pay.
“In our race to adopt technology, we seldom… do the cost-benefit analysis… on security,” Corman said.
The devices being leveraged by this superweapon include cameras and digital recording systems made by Dahua Technology, HiSilicon, Samsung, Toshiba and others, according to cybersecurity journalist Brian Krebs.
That’s why cybersecurity expert Robert Graham said: “This is largely just a surveillance camera issue. Surveillance cameras often have dedicated internet links without firewalls.”
Making matters worse, the hacker behind this superweapon has released its source code — offering the world a blueprint so that anyone can create their own version of Mirai.
The cyberweapon’s computer code is mostly in English, and its designer has a sense of humor. (The troubleshooting feature is dubbed, “DEBUG MODE YO”). But it also communicates in Russian.
“It’s not the best code I’ve ever seen, but it’s pretty good,” said Bill Sempf, an application security architect in Ohio. “This could take North Korea or Turkey offline.”
There’s little the world can do to prevent this from happening again in the next few weeks or months.
Governments don’t own the internet. And there’s intense pressure from tech companies and many users to prevent states from ever asserting control on it.
Device makers can’t simply take all their infected machines offline. They all need to issue recalls, which hasn’t happened yet.
Consumers with infected machines should simply throw them out, according to cybersecurity expert Dan Guido. But that’s unlikely.
“Unfortunately we want features, and then we just expect security to be magically built-in,” said Per Thorsheim, a security adviser in Norway.