Dyn DDoS Attack: what happened and what we can do to stop future attacks

The IoT Consortium takes IoT security and privacy threats extremely seriously. The Mirai botnet DDoS attack that took down the Dyn DNS service Friday, October 21st affected many of the most popular US web sites, causing massive service disruptions and widespread damage on an unprecedented scale. The simplicity and accessibility of this hack also exposed in a very public manner the extreme vulnerability of the current consumer IoT ecosystem and the urgency of identifying and rapidly deploying robust protective measures across the entire industry.

To that order, the IoT Consortium has formed a Privacy & Security Committee comprised of leading consumer IoT manufacturers to promote and coordinate industry-wide collaboration on this critical issue. Its long term goal is to build and maintain consumer's trust in the connected devices that are increasingly becoming part of our everyday lives, and foster the development an healthy IoT consumer ecosystem that can safely add value to the global Internet economy.

Released just weeks ago as an open source malware, the Mirai botnet continuously scans the Internet for common consumer IoT devices such as web-connected cameras, thermostats, smart TVs and digital video recorders. Leveraging the fact that many consumers neglect to change the default username and password in their rush to setup these devices, it uses a short list of the common default usernames and passwords, (such as "admin", "123" and "password") to break into these relatively unprotected devices. In a very short time, Mirai was able to gain access and recruit hundreds of thousands of connected devices to flood specific targets with traffic requests, effectively forcing them offline. 

Currently the quickest fix is for consumers to reboot their devices and immediately change the default username and password, to prevent them to become re-infected. However its unreasonable to expect that most consumers will do this on their own, and the IoT Consortium recommends that manufacturers commit to pushing firmware updates to all their devices that require changing the default username and password both as part of the initial setup process and as part of the software update. Consumers should also be strongly advised to avoid re-using critically important passwords, such as those of their email or bank accounts and home WiFi routers.

The IoT Consortium welcomes and encourages all IoT device manufacturers to join and participate in this community effort, and help make the IoT into a more secure and trusted place for consumers. For more information, please contact Greg Kahn at greg@iofthings.org or our privacy and security subcommittee co-leaders JP Abello (jeanpierre.abello@nielsen.com) and Jim Hunter (jim.hunter@greenwavereality.com).