Posted by Chase Mulligan.
On October 21, 2016 a coordinated distributed denial-of-service attack (DDoS) was made on internet systems operated by Domain Name Systems (DNS) provider Dyn resulting in massive disruption of internet services across the United States and Europe. Internet services along most of the east coast, west coast, and southern parts of the country were affected. The cyber-attack has been called an “historic attack”; (flashcritic.com) the first robot-based digital assault using the Internet of Things that linked millions of on-line devices in a coordinated operation. This tactic uses a novel approach of manipulating electronic devices connected to the Internet of Things for the attack capitalizing on the weak security of these devices and raising the question of responsibility and liability.
Anonymous and New World Hackers using recently released malicious software (malware) called Mirai, created a robot network for the attack. The significant aspect of the attack is the use of the Mirai botnet code to take control of devices that are used on what is called the Internet of Things. These devices are electronic devices not directly connect to computers but are connected through the internet and include such items as webcams, smart TV’s, routers, security cameras, DVRs, and similar devices. By using these electronic devices the hackers were able to take control of a virtual army of attackers. While the multiple attack across multiple directions is considered sophisticated, the actual use of the electronic devices is considered uncomplicated. Many of the compromised electronic devices are used by homes or small business and often lack security capabilities or contain elementary security that is easily compromised. The hackers had little difficulty installing the Mirai malware and taking control of the devices when needed for the attack.
Security organizations are taking measures to identify the comprised devises and developing ways to combat the Mirai command and control system. However, the cost and potential liability for placing unsecured or poorly security protected electronic devices on the Internet of Things is a looming question. If someone or a company experiences a significant loss of money, compromise of data, or destruction of assets; who is liable? Surely the hackers, but are the companies that market poorly or non-secure smart electronic devices; is the person or concern that uses the devices responsible, jointly or wholly? An area of Cyber-law is now in the making.
Chase is a finance and marketing major at the Stillman School of Business, Seton Hall University, Class of 2019.