WHAT HAPPENED last Friday on the Internet might be remembered as the Day of the Zombie Baby Monitors. Tens of millions of electronic devices that are online, such as baby monitors, security webcams and digital video recorders, all of them infected with malware, were given a mysterious order to attack, and they obeyed, sending out mindless waves of traffic. The target was Dyn, a New Hampshire company that provides domain name services, allowing people to reach the correct website. This is a sort of telephone book of the Internet, but on Friday morning at about 7, the telephone book on the East Coast was paralyzed by junk traffic. Popular websites such as Twitter, Spotify, PayPal and many others suffered outages. Another wave came at noon.
The attack appears to be an unprecedented exploitation of the “Internet of Things,” a term that includes more and more devices that offer user convenience — control your home thermostat from your smartphone — but also are vulnerable to mischief. In general, the benign household devices connected to the Internet are not very sophisticated. Many have factory-wired default passwords that are easy to defeat. This makes them attractive to hackers, who can implant a tiny bot that will awaken them on command.
Cybersecurity specialist Brian Krebs reports that the attack used malware known as Mirai, which scans the Internet for devices that have the 60 or so default usernames and passwords. It then infects them, and when ordered, they hurl torrents of junk traffic at a designated target. When executed by tens of millions of the tiny bots, the result is a crushing blow, known as a distributed denial-of-service attack. In the case of Friday’s onslaught, the senders were mostly digital video recorders and webcams with internal components made by a Chinese company. According to Mr. Krebs, last month the hacker responsible for creating the Mirai malware released the source code for it, “effectively letting anyone build their own attack army using Mirai.”
The shadowy hand behind Friday’s attack was not immediately evident. It may be distinct from the infiltration and theft of emails from the Democratic National Committee and Hillary Clinton’s presidential campaign that the U.S. intelligence community has attributed to Russia. But such hacking episodes serve as a reminder that the United States is under siege in the digital world and must respond forcefully, either with aboveground tools, such as economic sanctions, protests and legal prosecution, or, where appropriate, with offensive cyberweapons. Sure, it will be hard to identify the perpetrators and important to calibrate the response, but given how destructive the onslaughts are becoming, it would be a mistake to do nothing. Next time, the zombie may be more than a baby monitor.