It’s been over a year since we sounded the alarm on the lack of security on the Internet of Things, and in fact, we first mentioned it when it was back in its extremely nascent stage. While it is arguably still early days, we now have connected toasters, home alarm systems, refrigerators – and heaven forfend we should be out grocery shopping and can’t ping our refrigerator to tell us which staples we need to replenish.
We have a digital native friend who is always trying to get us to download some app or other, every time we see him. We rarely comply – primarily because it seems to be the latest iteration of something we already use, and the differentiators are not great enough to convince us that the app/company are necessarily going to be around in the next few months. He’s a young entrepreneur, who is also big on having connected devices all over the home, to make his life as easy and as remotely controllable as possible.
And therein lies the rub.
There was a major DDOS attack on Friday morning, which took Twitter, Netflix (or slowed it down, anyway), Spotify, Reddit, SoundCloud, Disqus et al offline, courtesy of “Mirai, an easy-to-use program that allows even unskilled hackers to take over online devices and use them to launch DDoS attacks. The software uses malware from phishing emails to first infect a computer or home network, then spreads to everything on it, taking over DVRs, cable set-top boxes, routers and even Internet-connected cameras used by stores and businesses for surveillance,” according to USAToday.
Point of entry: connected devices, aka, the Internet of Things.
The target of the attack was Dyn, whose servers monitor and reroute internet traffic, and host the Domain Name System, according to the New York Times, and “the attack came after years of warnings from security experts that the makers of many internet-enabled devices paid too little attention to security, shipping internet-connected hardware with preset passwords, insecure default connections, and other vulnerabilities,” said Fast Company (After Years Of Warnings, Internet Of Things Devices To Blame For Big Internet Attack Hundreds of thousands of cameras, routers, and DVRs have been hijacked by malware for use in massive denial of service attacks)
“It is just a matter of time until attackers find a way to profit from attacking IoT devices,” a report from security firm Symantec warned last year. “This may lead to connected toasters that mine cryptocurrencies or smart TVs that are held ransom by malware. Unfortunately, the current state of IoT security does not make it difficult for attackers to compromise these devices once they see the benefit of doing so.”
To make matters worse, there are the digital natives, who grew up connected and gave no thought to privacy, much less to security, as they lived out their lives – and continue to live out their lives – online. As with privacy, we wonder if they’re growing up inured to the concept of security, and while our digital native friend is about to launch his latest startup, we know that security was not top of mind with his last one – nor did a security layer in the software exist.
And we very much doubt that he is the exception.
This latest DDOS attack may have been the Largest DDoS attack ever delivered by botnet of hijacked IoT devices, as NetworkWorld reported (and even bigger than the one reported in the article), but we can state almost emphatically that it will not be the last – or necessarily hold that particular distinction for long. “Between 500,000 and 550,000 hacked devices around the world are now part of the Mirai botnet, and about 10% of those were involved in Friday’s attack, said Level 3 Communications Chief Security Officer Dale Drew on the internet backbone provider’s Periscope channel Friday,” Fast Company reported. Then consider self-driving cars, and we already know that those have been successfully hacked.
Worse, as security expert Bruce Schneier reports, Someone Is Learning How to Take Down the Internet.
Requiring users to set their own secure passwords when setting up the devices, and disabling unneeded avenues for remote control would help keep hackers out, according to Level 3’s Mirai report, but most manufacturer’s don’t even build in a secure mode to their devices, which only compounds the problem, and for more on the various flaws and weaknesses, the Fast Company piece is a must-read.
With the Internet of Things, we’re fast approaching an era in which your toaster can literally be the key to your front door – and your entire online identity. Security can no longer be considered a nice to have or an afterthought. It may be true that sometimes a cigar is only a cigar, but it the same can’t necessarily be said about something as simple as a smart toaster. The devices may be getting smarter – but it doesn’t seem like the creators/entrepreneurs have learned a hell of a lot and it seems that every fresh security breach in whichever quarters quickly becomes yesterday’s news.
We don’t know if the outage of some of our most popular sites was payback for Wikileaks founder Julian Assange having been taken offline, as has been suggested, or the first shot across the bough of something much larger to come. In any event, it is a warning of an incredible new vulnerability that is creeping into all aspects of our lives and literally about to hit us where we live. While it may be nice to automatically wake up to a slice or two of lightly browned bread in the morning, not at the expense of almost everything else in our lives potentially becoming toast. Onward and forward.