It will be hard — if not impossible — to stop hackers from weaponizing the “Internet of Things” anytime soon. That’s what some experts are warning in the wake of a massive cyberattack Oct. 21 that used compromised Internet-connected devices like security cameras to disrupt many popular websites.
“These attacks are not going away,” said Ben Herzberg, security group research manager with cybersecurity company Imperva.
The big problem is that too many of those connected products come with lax security features that make them juicy targets for hackers, according to Herzberg. For instance, cheap Internet of Things devices are often secured with default passwords and may lack support for security updates. And the rapid expansion of the Internet of Things market means even more vulnerable devices are likely to be in use soon: By 2020, there will be over 20 billion Internet of Things devices online, according to one estimate from analysis firm Gartner.
The type of attack that caused the Internet meltdown can be carried out from anywhere, but there’s no regulation that can force device-makers around the world to make their products harder to hack, according Herzberg. “It would be great if we could say, ‘If you want to produce a device connected to the Internet you must go through basic security checks,’ but we don’t have that right now,” he said.
Those factors helped set the stage for the Friday attack, which left major services like Twitter and PayPal inaccessible for many users around the world. The hackers used malware dubbed Mirai to control the devices that carried out the digital assault, according to Dyn and researchers at cybersecurity company Flashpoint.
The malware scans the web looking for connected devices protected by weak or default passwords, Flashpoint said. Then it forces newly compromised devices to search for other vulnerable products, creating a network that hackers use to attack, according to the firm.
Mirai is thriving by finding connected products with weak security controls, experts say. The malware goes after a lot of outdated technology that is still connected to the Internet, explained Flashpoint research developer Zach Wikholm. “Some of them were made between 2004 and 2008,” he said.
Newer products can also be vulnerable, especially those made by low-end manufacturers in China, Herzberg said. Those manufacturers often focus more on making their devices as cheap as possible than on making them secure, he said. Many of those devices come with default passwords that typical users can’t change. And even if the password can be changed, the device probably won’t be able to receive updates to patch newly discovered security flaws, Herzberg said.
These issues have helped the malware spread across the globe. Herzerg and other Imperva researchers who investigated earlier this month discovered Mirai-infected devices in 164 countries. That geographic range is another reason it will be hard to prevent similar attacks: The attack ignores borders, and vulnerable devices from anywhere could come online, adding to its strength.
In the United States the Federal Trade Commission may be able to get device-makers to step up their security game. Maneesha Mithal, an associate director with the agency’s Bureau of Consumer Protection, said Internet of Things security is a “huge priority” for the agency. “This is an area where we see companies are not investing as much time and effort as they should be in security,” she said.
The agency released a report last year highlighting security issues in the Internet of Things market, along with guidance for device-makers. It’s also taken enforcement actions: one in 2013 against the sellers of poorly secured Internet-connected home security cameras and another this year, when it went after ASUS for alleged security weaknesses in popular home routers. More Internet of Things investigations are in process, according to Mithal.
But there are limits to the FTC’s authority. While the agency can influence the market through enforcement actions, it can’t set hard and fast security standards, according to former FTC Consumer Protection Bureau director David Vladeck.
Of course, the agency also doesn’t have jurisdiction everywhere. Mithal acknowledged that “it would be hard” to go after a foreign device-maker selling products overseas even if the device was being used to wage attacks like the one on Friday. However, she said, the FTC may be able to collaborate with authorities in other countries “to go after companies that are worldwide bad actors.”
The FTC’s enforcement actions can also change how a company does business around the world, not just in the United States, according to Wikholm, who said the ASUS case is one example. “[ASUS] didn’t just change one product in response,” he said. “They changed their entire line.”
Wikholm and Herzberg both said that improving the security of connected products will require buy-in from consumers and device-makers — and that will take time. “We have to come to an agreement not just in the U.S., but on the global scale,” Wikholm said. Perhaps, he suggested, that could be done through an international industry group.
But until things change, hackers will still be able to hijack consumers’ devices for their own purposes.