The residents of two apartment buildings in the city of Lappeenranta in Finland found themselves bundling up at home when the heat in the buildings shut down. The reason for the failure wasn't an accident — it was a distributed denial of service (DDoS) attack primarily using internet of things devices that lasted for several days.
It's the latest in a string of attacks that have leveraged the internet of things to overwhelm systems. In this most recent case, the hackers directed traffic to the computer system that controls the heating (including the hot water heaters) for the apartment buildings. The system belongs to a company called Valtia, which provides facility management services.
Once this massive amount of traffic swamped the system, the computer attempted to reboot itself. This caught the computer in a reboot loop, shutting down heat to the buildings and confounding the maintenance staff. Fortunately, network administrators were able to limit internet traffic to the targeted system, and residents got their heat back.
Earlier this year, tech security journalist Brian Krebs found himself in hackers' crosshairs. The web servers hosting his site, KrebsOnSecurity, became inundated with traffic from a collection of internet devices including routers, DVRs and security cameras. Akamai, a company that provides security services to Krebs' site, was able to fend off the attack. But according to Akamai officials, the amount of traffic they saw was nearly twice that of the largest attack they had seen previously.
And in late October, many in the U.S. became frustrated when they found themselves unable to reach services like Twitter, Netflix and others. Again, the reason for the outage was due to hackers commandeering poorly secured internet of things devices. This group of hackers sent traffic to domain name servers (DNS) belonging to a company called Dyn. Those servers act like a phone book to the Internet — they help direct traffic to where it needs to go. With the servers busy dealing with bogus traffic, they couldn't handle legitimate requests.
It's clear that there are some critical security problems with the way we've implemented the internet of things. Too many devices have inadequate security, and some have no security measures in place at all. With more hackers learning how to take advantage of those devices, we'll likely see more attacks like these.
Fortunately for the residents of those apartment buildings in Finland, they aren't in the coldest part of winter yet. In late December, Lappeenranta gets barely more than five hours of sunlight, and the high is around 26 degrees Fahrenheit (about negative 3 degrees Celsius). Previous DDoS attacks mostly caused an inconvenience, but this latest example from Finland could put people's lives in danger.