Hackers are exploiting serious vulnerabilities in the security of the billions of connected devices collectively known as the Internet of Things, and building zombie armies capable of knocking any target offline, threatening free speech and the internet economy.
Over the past week Brian Krebs, an independent journalist who investigates the shady world of cybercrime and the dark net, has seen his website hit with one of the largest attacks in the history of the internet, carried out by a botnet of compromised CCTV cameras — which some experts see as a harbinger of things to come.
"I don't know what it will take to wake the larger internet community out of its slumber to address this growing threat to free speech and e-commerce," Krebs says. "My guess is it will take an attack that endangers human lives, shuts down critical national infrastructure systems, or disrupts national elections."
Krebs is in some ways a victim of his own success. The former Washington Post journalist has become the scourge of some of the most powerful cybercriminals in the world through his investigative reporting on his Krebs on Security blog.
These people don't take things lying down: Krebs has in the past been the victim of swatting (sending emergency services to someone's home by falsely claiming a serious incident is happening there) and once had heroin sent to his home, and this week was hit with a distributed denial of service (DDoS) attack that knocked his blog offline for days and saw the company protecting his website pull service because it was going to cost them millions.
Krebs' site is no stranger to DDoS attacks, but this one was different from anything he'd seen before. It's a warning sign not just for investigative reporters but for the entire online world.
DDoS attacks work by flooding the server hosting the target website with so much traffic that it becomes inaccessible to anyone else. Attacks of under 10 gigabits per second (Gbps) can easily knock smaller websites with no protection offline. The attack that hit Krebs' site last week was 620 Gbps.
An attack of this size isn't unprecedented, but it is among the biggest on record, and such large ones typically bear the fingerprints of a nation state. Not this one.
Normally with DDoS attacks, the devices used to flood a site with traffic are PCs that have been compromised with malware to become part of a so-called botnet, an army of zombie computers that can be controlled remotely to do a hacker's bidding.
But in this case, the botnet was comprised of web-connected devices collectively known as the Internet of Things, such as CCTV cameras, which can be looped in to a botnet attack.
Everything from industrial control systems and factory robots to the smart TVs, fridges, ovens and thermostats in our homes will be online and therefore open to attack. Though connected cameras might not have the same processing power as desktop PCs, for the purposes of a botnet army, they make the perfect zombie soldier.
"Many of these cameras run a full operating system and have a relatively robust connection to the internet," Matthew Prince, CEO of Cloudflare, a company that protects websites from DDoS attacks, told VICE News. "As a result, if they are poorly secured, they can become a very effective source of DDoS traffic for an attacker."
Security is a huge problem with these devices. The majority are shipped with default usernames and passwords set at the factory but never changed before the cameras get connected to the internet, leaving them wide open to attack. This lack of security puts the cost of creating an IoT botnet army at "virtually nothing," according to Krebs. "These are compromised resources, so it costs the attacker whatever their time is worth. That's about it," Krebs told VICE News.
On the flip side, blocking such attacks is prohibitively expensive. Akamai, the company that's been protecting Krebs' website pro bono for the last four years, says it would have cost millions of dollars to continue to rebuff last week's attack and so it pulled the plug on Krebs. But he's not bitter about it: "I do not fault Akamai for its decision," Krebs said on his blog. "Once it became evident that the assault was beginning to cause problems for the company's paying customers, they explained that the choice to let my site go was a business decision, pure and simple."
Google's Project Shield, a free DDoS protection service from the search giant's Jigsaw division, has stepped up to provide protection and help get Krebs' blog back online. The attacks are still coming, Krebs said this week, but for now his website remains up, and Project Shield is monitoring its traffic to identify the compromised machines and inform their owners.
But Krebs isn't the only target of this botnet: Prince confirmed that a botnet made up almost entirely of CCTV cameras had been attacking some Cloudflare customers in recent weeks.
While the huge attack on Krebs' website drew a lot of media attention, the threat from DDoS attacks is nothing new.
These days, if you want to knock someone offline, there are dozens if not hundreds of groups around the globe offering access to their botnets for as little as $5, which means anyone who wants to knock an enemy offline can do so relatively easily. That means everything from knocking your competitor's site offline during its busiest hours, to preventing access to vital information, to even, as with Krebs, suppressing free speech.
But the fallout from a DDoS attack can hurt everyone, not just the intended target.
"The use of DDoS attacks against ordinary internet users, journalists, and others in the public sphere is of significant concern," Roland Dobbins, principal engineer at Arbor Networks, told VICE News.
Krebs says the "writing has been on the wall for years" about the threat posed by these types of attacks, and yet nothing significant has been done to address it.
In December 2014 the hacker group known as Lizard Squad knocked the Xbox Live network offline on Christmas Day. While the news made a lot of headlines at the time, the fact that the attack was achieved using a botnet made up of compromised home networking routers did not. It should have raised alarms about such attacks. "We've had plenty of warning," Krebs said.
Indeed, the threat posed by unsecured IoT devices was presented in a National Science Foundation paper in February 2014: "An environment needs to be developed for distributing security patches that scales to a world where almost everything is connected to the Internet and many 'things' are largely unattended."
While there are some initiatives underway to build collaborative systems for general use, big companies like Microsoft, Apple and Google are all doing their own thing, which makes standardization difficult.
"I don't think [hardware manufacturers] are beholden to anyone," Krebs said. "They don't see it as their job [to worry about security]; they see it as their job to make their products as easy to consume as possible."
As we move toward a world where everything from cars to offices to toothbrushes are online, the attack this week is worrying the experts.
"What I suspect we are going to see is the malware used to build this will have derivatives that will [allow] you to build other botnets," Andy Ellis, chief security officer at Akamai, told VICE News. "Probably in the next year to 18 months, we will see multiple competitive large-scale botnets that include Internet of Things and embedded devices as their core components."