The internet is facing an unprecedented threat from toasters — and calls are mounting for governments to step in and fix things.
A massive distributed denial of service (DDoS) attack was to blame. A DDoS works by using a swarm of hacked computers (a botnet) to overwhelm a target with malicious traffic; legitimate users can’t access it and the victim is overwhelmed, knocking it offline.
But what was unusual about the recent attack, which targeted internet service provider Dyn, was the botnet. It wasn’t traditional home computers that were hacked, but internet-connected devices — webcams, smart TVs, smart fridges, and so on — and it was made possible by terrible security practices by the manufacturers.
This wasn’t the first such attack, and it won’t be the last. And as a result, there are increasing calls for the government to get involved — either to regulate for stronger security, or even to take the nuclear option, and hack back.
“You will be part of the IoT revolution whether you want it or not.”
Last Thursday, I sat down with Mikko Hypponen, chief research officer for F-Secure, to talk about the state of security in the Internet of Things, or IoT. (Short answer: It’s truly terrible.)
We spoke before the Dyn attack — but after security reporter Brian Krebs had come under an unprecedented IoT-powered DDoS — and what we discussed equally well applies to the more recent attack.
Hypponen’s verdict: Don’t expect consumers or security-lacking manufacturers to change their ways as a result of this.
“People have said this is the wake-up call for IoT security — no it’s not. This is not gonna change anything. Why? Because people don’t care if their television is launching a denial of service attack,” the Finnish exec said.
“They don’t care, even if you tell them: ‘Hey, your TV is shutting down websites on the other side of the planet.’ They say: ‘Yeah ok, cool, I don’t care. I can watch TV, it works.'”
Security simply isn’t something that people look for in a home appliance, meaning there is no economic incentive for product makers to up their game.
“The core of the problem is that when you go and buy an appliance, security isn’t a selling point. You go and buy a toaster or washing machine … clearly price is number one. Number two: colour. Security doesn’t even enter the discussion, which means the vendor making these things will invest the minimum amount of money possible into security,” Hypponen said.
And as costs go down, and the IoT spreads, this problem risks intensifying.
Hypponen said: “We have people [who say] ‘IoT sucks, I’m not gonna buy any IoT devices.’ That’s not going to be possible, that’s not the way it works … you will be part of the IoT revolution whether you want it or not … In five years time, you go and buy a toaster — regardless of the toaster you buy, even if there’s no IoT features, it’s still going to be an IoT toaster. It’s still going to call home to the manufacturer, and the reason this is going to happen is it’s going to be so goddamn cheap to put in one chip and have it call home.”
So does Hypponen think it is time to for government to force vendors to change?
“I’m really divided on what I think about regulation, but if it’s needed somewhere, this might be it … we’re regulating things on appliances anyway. They should not be able to give you an electric shock, they should not catch fire, they should not leak your WiFi password either — I think that would be a good thing.”
The alternative? Hack back.
Not everyone agrees with this. Rob Graham, hacker and security researcher, calls for a more decisive action: A proactive strike from the NSA (National Security Agency) to knock compromised IoT devices offline.
He pointed out that even if some nations did legislate against insecure IoT devices, it would do little to affect those sold in other jurisdictions — which could then be used for attacks.
“Morons think U.S. should pass a software liability law that will somehow affect Chinese devices sold to Ukraine,” he wrote on Twitter.
“All that would do is stop you/your friend getting rich [with] a brilliant IoT Kickstarter idea — won’t stop the [vulnerabilities]. The proper response would be to task the NSA to brick all the freakin’ devices — nothing says software vulnerability like getting bricked. Would my solution solve this problem? Yes. Would yours? No.”
Others, however, concurred with Hypponen’s sentiments.
Joseph Cox, a reporter for Vice’s Motherboard, tweeted: “H**y shit IoT security needs to get regulated.”
“We need laws that allow civil and/or criminal penalties for companies that sell systems this insecure,” said Wall Street Journal tech columnist Christopher Mims.
Meanwhile, SwiftOnSecurity, a popular Taylor Swift-themed cybersecurity Twitter account, called on retail companies to do more to crack down on rogue products and vendors.
“I call on Amazon to refuse to sell devices with proven security problems that are being used to criminally target American infrastructure,” they wrote. “Amazon refuses to sell USB cables that can fry smartphones, there is no reaso they should sell IoT devices used bring down our country.”
And Mikko Hypponen tweeted simply: “IoT is a clear and present danger for the internet.”
The US government isn’t sitting on its hands during all of this. Reuters reports that the Department of Homeland Security is working on a set of “strategic principles” to secure IoT devices. But there’s nothing settled upon. (XiongMai, a Chinese manufacturer whose webcams were exploited in the attack, has also issued a recall.)
Perhaps the most frightening part of the Dyn attack is that it wasn’t particularly sophisticated. It exploited baked-in default passwords on devices, using some open-source software called Mirai that anyone can download for free. So unless governments swiftly implement a strong response — whether regulatory or offensive — then the Dyn attack won’t be last time this happens.
- Top IoT Companies to Watch & Invest In
- Best IoT Conferences & Expos
- IoT Wearable Devices & Technology
- How the IoT Will Affect Security & Privacy
- Ultimate IoT Research Bundle