It’s pretty obvious when a major internet service provider is under some kind of attack: The service gets bad and slow, error messages pop up all over, and everyone basically knows something is not right. But it’s a lot harder to tell is some other web-connected device you use is acting strange because it’s old, or is broken… or remotely attacking the internet on the other side of the globe.
Security researchers have found in the past that there are millions of compromised devices connected to the internet; it seems like every month, we hear a few more stories about some device or other that’s hacked or breached or susceptible to having its data stolen.
But then there’s the flip side: When the problem isn’t so much the data that can be taken off your device, but rather the ways in which that device can be used as, well, part of a weapon. One individual internet-connected device isn’t much a of a threat, but put thousands or millions of them together into one big botnet, and you can knock many of the largest, most popular services in the country offline for a day or two, as happened late last year when a large botnet was used to attack hosting provider Dyn.
A Chinese webcam maker recalled its vulnerable products in the wake of the Dyn attack, but those cameras are far from the only vulnerable products on the market — and botnets manage to infect more unwitting devices every day.
The real kicker, as the Wall Street Journal reports today, is that for most users, your stuff could be out there waging war on the web and you’d never even know it.
Take, for example, a security camera at a laundromat in Colorado. As the WSJ explains, it was part of the Mirai botnet, a particularly widespread one.
The camera’s owner only knew that it was being a bit persnickety. “Her remote-viewing app kept disconnecting,” the WSJ explains; “she was able to reconnect it by restarting the digital video recorder.”
She’d go and power cycle the device — unplug it, then plug it in again — and then move on with her day, as so many millions of us do whenever anything electronic is out of sorts.
And while you might not expect the owner of the laundromat to be a tech expert, the security folks who installed the system for her weren’t aware of it, either. The company owner who put it in place told the WSJ that he only learned of the vulnerability after being contacted by a reporter.
What’s to blame? Human memory and systems design both play a role. “One of the hardest parts of this business is that everyone loses their passwords,” the installer told the WSJ. When that happens, support has to reset to the default in order to let the owner get back in.
But of course, a weak default password is basically useless. Researchers have found that most home “smart” devices can be remotely accessed in a few minutes at most, by someone actually looking to get in.
For random new devices getting plugged into the internet? Nine seconds, one analyst told the WSJ. That’s all it can take for a poorly-secured device to get swept up and have part of its processing power hijacked.
As the connected devices get both more prevalent and more important, the consequences of hijacking them can become ever more severe. The WSJ points to a vulnerability that hit a bunch of heating systems in Finland last fall, making buildings basically restart themselves and taking temperature control offline. In November in Florida, losing the heat for a few hours might not be a big deal; in November in Finland, it’s a much bigger problem.
For now, it seems the digital arms race is tilted towards the hijackers and not the defenders. Network security is a constant trade-off between machine needs and human needs, which are often at odds with one another — and with trying to patch, catch, mend, and keep up with every new vulnerability and vector of attack, which is hard to do.
In the meantime, if you’ve got any great ideas, hey — the FTC is looking for ideas on how to make the internet of things more secure, and there’s a $25,000 prize on the line if you pull it off.
What’s Attacking the Web? A Security Camera in a Colorado Laundromat [The Wall Street Journal]