On Friday, Dyn, a company that routes and manages internet traffic, suffered multiple Distributed Denial of Service (DDoS) attacks throughout the day. Major sites such as Twitter, Netflix, airbnb and the New York Times were unavailable throughout the day due to these attacks. The general counsel for Dyn, Dave Allen, confirmed on Friday that a malware called Mirai executed the attacks via devices on the so-called Internet of Things, turning them into a launch pad for the attacks.
With 500,000 devices already infected around the globe, Mirai allows devices like fridges, home security systems, and cars to be used for large scale DDoS attacks - flooding servers with artificial traffic until they crash. Mirai spreads by scanning for devices with basic or default username and password combinations and then uses brute force to enter the system. With the malicious code of Mirai now available in full online, it is likely hackers will modify it to their needs. And, by commandeering everyday devices, hackers are able to amplify these disruptive attacks and conceal the source behind layers of misdirection, making attribution difficult.
In light of Friday's attacks, The Cipher Brief brings you our past coverage on the vulnerability of the Internet of Things.
Would you purchase a smart refrigerator that knows what you buy and can make suggestions about what to buy next? How about a smart toy that monitors your child for you? A smart car that knows where you drive? Or maybe you would prefer a smart rifle that aims itself? The world is getting smarter, and this vast web of wirelessly connected devices has come to be known as the Internet of Things (IoT).
The IoT is being hailed as the next big thing that will change everything and allow us to customize our lives to a previously unheard of degree. It is expected to more than double in size by 2020, with approximately $6 billion being spent on IoT devices during that time. However, this customization is provided by placing sensors and wireless networking capabilities in otherwise ordinary objects. This means that they are monitoring the world around them and communicating that information to their creators. So far though, it has mostly proved to be a boon to advertisers, who can use the vast volumes of information generated by these devices to better target consumers and influence purchasing decisions.
However, there is a darker side to the IoT – and the problem is growing every day. While IoT devices can communicate wirelessly like a computer, many of them lack the types of security measures that keep computers safe. This essentially means that as IoT devices become more common, people will need to worry about not just their computer getting a virus, but also their blender or their thermostat, or even their doors.
The effects of malware on IoT devices could have a range of different effects, but arguably the most damaging would involve issues of control. Ransomware, for example, has already proven itself to be a growing problem in the cybersecurity industry. This type of malware locks down a system until a ransom is paid, and it has been used to hold files and systems in hospitals hostage on several different occasions. When applied to the IoT, the effects could be even more severe – just think how disruptive it would be if a cybercriminal shut down your car until you paid them several thousands of dollars.
Similarly, there are concerns about cyber criminals seizing control of networked devices. Returning to the car example, two cybersecurity researchers famously hacked a moving Jeep and took control of its functions in 2015. Or, more distressingly, a different set of cybersecurity researchers hacked into the control systems for a networked rifle at about that same time – allowing them to control where it was aiming.
Clearly, these issues are far from inconsequential, but there has been some improvement in this area. Most IoT devices are difficult to patch and have lackluster security, which means that it is hard for companies to fix security problems once they become aware of them. However, new guidelines have emerged from a variety of sources which give guidance on how to build security into IoT devices from the start. While these have the potential to greatly enhance the security of the IoT, there is not currently a procedure for notifying consumers as to whether a given product has been created securely. Brian Witten, Senior Director of Internet of Things (IoT) at Symantec, told The Cipher Brief that “experts are working to set guidelines and fair testing means by which security ratings, rankings, seals or stamps of approval can be earned.” Until such a system is in place though, Witten cautioned that “failure to build against an established set of security guidelines should be a red flag to any customer.”
Aside from the security concerns that have arisen around the IoT, there are also worries that the sensors in IoT devices would allow for significant breaches of consumer privacy. While companies do mine data from IoT devices to learn more about their customers, the primary focus of the concern is on government surveillance. The fear is that the government could compel firms to hand over information about people that was generated by IoT devices, and that this information would be used as part of a mass surveillance effort.
Matthew Olsen, former Director of the National Counterterrorism Center, has said that “the Internet of Things provides new channels for the government to collect information – both from a law enforcement and an intelligence perspective.” IoT devices create a tremendous amount of information, and there is certainly a great deal of potential for mining that data to produce useful insights into the activities of criminals and terrorists.
Yet, this information may not be that useful in the grand scheme of things. Marshall Erwin, a fellow at the Hoover Institution, told The Cipher Brief that “this revolution in technology has not been nearly as consequential to law enforcement. The data in question simply isn’t that valuable outside of the context in which it is collected and used.” Essentially, IoT data is great for advertisers, but the information these devices collect is not usually the type of information that law enforcement and intelligence agencies need to do their jobs. It remains to be seen how the still evolving nature of the IoT will change the dynamic between these two viewpoints.
The tendency towards increased connectivity does not appear to be slowing down, and in aggregate this does not appear to be a bad thing. However, security concerns are a looming problem with the nascent IoT. Many common cybersecurity problems are a direct result of the Internet being designed without security aforethought. Forward-looking policies, practices, and regulations may need to be put in place now to prevent a similar state of affairs from developing in the Internet of Things. Fortunately, the IoT is still a work in progress, and it is not too late to ensure that its myriad security issues are addressed before they become unmanageable.
Luke Penn-Hall is the Cyber and Technology Producer at The Cipher Brief.
