On the global battlefield of cyberwarfare, there’s a vast army of faceless foot soldiers — and they’ve just been revealed as double agents.
The directed denial of service (DDoS) attack that brought the Internet to its knees one day last month used everyday household appliances like cameras, universal remotes, DVRs and even washing machines. That’s likely to become increasingly commonplace in a technology-dependent world, experts say.
The stakes are mounting as “smart home” devices — connected by increasingly ubiquitous Internet of Things technology and designed to help consumers run their homes with ease — now come with a distinct risk. They are being transformed into drones for security breaches.
Such deveices now number more than 6 billion, according to a recent analysis from Machina Research.
“Security has not been a prime focus on many devices and organizations that put these out helter-skelter. … In many cases they’re not adjusting to security concerns,” Leonard Kleinrock, a UCLA professor of computer science, told CNBC in a recent interview. “So it’s not a surprise this [cyber attack] happened and it hasn’t been taken seriously. There’s no oversight in general.”
Connected devices are reaching a saturation point: A 2015 Gartner study estimated that consumers around the world are adding a staggering 5.5 million IoT devices on a daily basis. According to Kleinrock, that’s a major concern in the context of seemingly relentless cyberwarfare. A big problem is that most consumers use default passwords on these appliances that can easily be hacked.
“The obvious answer is to change the password [but] I think it’s unreasonable by and large to expect users to change passwords on cameras, toasters and scales,” said William Webb, a fellow at the Institute of Electrical and Electronics Engineers and CEO of Weightless SIG, a nonprofit standards body that looks at issues surrounding IoT connectivity.
There’s a bigger question of how to execute compliance, he told CNBC in a recent interview. “There are things you could do but how do you get that to happen? If this is a mobile phone, this is not so difficult … but these are devices manufactured by 10-20 manufacturers,” he said.
“Getting them all to play ball is really difficult, and there isn’t a framework to make them do it.”
Because of their limited computing capacity, “most of the IoT devices were not designed with serious protection capability, and so are susceptible to attack,” said Kleinrock, who was influential in the development of Arpanet — the forerunner to the modern-day internet.
“These devices were designed to minimize the processing load and memory usage. They usually don’t have the additional processing power needed to carry out the extra load for security protection,” he said.
“The net result is that if we are serious about protection, we may need to wait until a new generation of these devices … replaces the existing generation. The rub is that many of them are designed to remain installed for a decade or more,” Kleinrock said. “At the same time, we need to address this growing threat now that it has been exposed.”
The disruptive ability of hackers is also amplifying concerns about artificial intelligence, a booming technology market in itself that is increasingly intertwined with IoT. The massive trove of data these devices produce is a potential gold mine for tech manufacturers and malicious actors alike.
“One problem with DDoS attacks is you may not even notice it’s happening,” said Webb. “If it doesn’t appear to be a problem, … you won’t take steps to prevent it. It is a difficult issue.”
It’s also a concern taking on more urgency as AI assistants” like Google Home and Amazon Echo capture the public’s imagination. Explosive smart home device growth is on track to more than quadruple by 2025, Mahina’s research found. Separately, IDC estimated that worldwide IoT spending will hit $1.7 trillion by 2020.
Jeremy Warren, chief technology officer at smart home provider Vivint, told CNBC that technologists are at work “using AI methods to make [smart home] defenses smarter,” as security breaches serve as a rude awakening for manufacturers and consumers to improve security.
That includes “looking for normal and abnormal patterns, and taking corrective action” in the event of polymorphic computer virus attacks like the Mirai bug that shut down parts of the Internet last month. In theory, AI can identify, remove or quarantine a threat that makes a machine operate outside its normal scope, he said.
However, “the malware itself has the ability to mask itself and have variable signatures,” Warren added, calling it an “arms race” between device makers and hackers.
“Unfortunately you’re seeing more of that on the bad guy side itself, using AI techniques and machine learning to make malware easier to use. AI and ML tools are becoming part of a weapons set on both sides,” he said. It’s a task complicated by what Warren called “brain-dead vulnerabilities” in which devices operate on factory settings without the consumer creating a unique password.
Kleinrock, however, insisted that the onus is on manufacturers to require consumers to be more conscious about “security hygiene.”
Most device owners “are unaware and don’t really care,” he said. “‘How bad can it be?’ they’ll argue. ‘So what if some simple device fails to operate properly.'”
Therein lies the risk, the scientist said, invoking the economic theory known as the “tragedy of the commons,” in which one member in a shared resource system acts independently but risks the common good.
“If everybody doesn’t cooperate, than everybody is vulnerable,” Kleinrock said.