Oct 25, 2016
The Dyn DDoS Attack: What You Should Know
On Friday October 21st 2016, the Internet was hit with a massive Distributed Denial-of-Service Attack (DDoS for short), which took down some very high-profile websites. You may have heard about it on the news.
You may have also heard that IoT devices were at the heart of this attack. To be clear: Pipers were not involved in this attack.
So, what did happen?
Several IoT devices from a few manufacturers were compromised by very intrusive malware whose job it was to direct massive amounts of traffic to a DNS service called Dyn. You can read about Dyn’s battle with this historic attack here: http://dyn.com/blog/dyn-statement-on-10212016-DDOS-attack/
At this point, it appears that the devices involved in this DDoS attack (mainly DVRs and IP cameras) suffered from a crucial flaw: They shipped with default usernames and passwords which allowed them to be accessed with relative ease. Once the malware gained access to these devices’ firmware, the coordinated attack was initiated.
Think about your Wi-Fi router’s password that allows you to configure it with a web browser: The first time you access it, you use some username/password combination like admin/admin (or similar). Once you log in the first time, you’re usually asked to change it.
In this case, the default passwords weren’t changed, and when setup on their Users’ home networks, these vulnerable devices were able to be accessed by telnet or SSH and their passwords were known to the attacking software.
At no time have Pipers shipped with default usernames and passwords, and we do not allow them to be accessed by telnet or SSH. Piper also does not have a built-in web console (such as those often found on Wi-Fi routers).
We take Piper’s security very seriously, and always have.
We conduct quarterly independent security audits of Piper. Our software (App, Firmware and Cloud) is patched regularly and according to industry best-practices. All Cloud access (be it from Piper or the Mobile Apps) is authenticated and encrypted (including Firmware updates).
When setup properly on your home’s Wi-Fi router, Piper does not accept incoming connections on the local network. Encrypted requests from the Mobile Apps must pass through a Cloud Relay Server, to which Piper itself has made an outbound encrypted connection.
For the best performance from your Piper, we recommend the following tips:
- Always ensure you’re using the latest version of the Piper Mobile App.
- Always make sure your home Wi-Fi router is patched with the latest available version of its firmware.
- Use the latest available Wi-Fi encryption (such as WPA2) to keep others from snooping. Stay away from WEP encryption.
- Do not allow incoming connections to your router via your public IP address.
- Always keep your software at home up to date. A vulnerability on one system can lead to headaches on another, so keeping your devices up to date is essential.
Like the weakest link in any chain, IoT devices are only as good as the software written for them. We take Internet security very seriously and are proud of the work we put into testing and securing Piper.
If you have any questions or concerns, please feel free to contact our Support Team!