Winter is here. The Internet of Things (IoT) winter, that is.
All those digital routers, DVRs, “smart” kitchen appliances and IP-enabled cameras you assumed were innocuous as they worked away in the background of your life are rising up like zombies at the behest of the Night’s King of Game of Thrones.
And like the fictional, aforementioned zombie army, it seems there’s little we can do to stop the next big distributed denial of service (DDoS) attack, fueled by the malware dubbed Mirai — a word that appropriately means “the future” in Japanese.
But is this latest zombie-flavored hacking attack really “the future” for the Internet of Things?
The first look most of us got at the Mirai malware was back in September, when it was used to attack the site of security expert Brian Krebs. Generating 665 Gigabits of traffic per second, the incident became perhaps the biggest known DDoS attack since one noted by Akamai in June, which generated 363 Gigabits per second.
Following the attack in September, Krebs reported that a person going by the name of Anna-Senpai, which may refer to a Japanese erotic anime series, had released the malicious code into the wild on Oct. 1.
The Nest smart thermostat, which connects to the internet.
Image: mashable
Adding to the sense of impending doom, the U.S. Department of Homeland Security posted a notice on Oct. 12 warning that users of Sierra Wireless products should reboot and reset the password on their router devices.
Some predicted the release of the Mirai code would lead to an even bigger DDoS attack, and on Friday, those predictions came true.
We’ve detailed exactly how it happened and how you can attempt to make sure your internet-connect devices aren’t part of the problem. But that’s just the beginning.
In the past 24 hours, some experts have suggested rebooting and changing the passwords on all your internet-connected devices, but that advice presents two major issues.
Firstly, most consumers don’t think of passwords beyond their smartphones, tablets, and email and bank accounts. In fact, most are likely unaware their IoT devices even have password options. Secondly, not all IoT devices have consumer-facing interfaces that allow a password change.
“If you’re shipping enough devices that can be leveraged trivially to knock down Twitter? Yeah, there should be liability!”
Those factors mean that we’re likely to see more DDoS attacks in the coming weeks and months.
So is this essentially the end of the still emerging IoT market? In a landscape where every IoT access point is a potential vector to bring down web giants, will all those new devices be mothballed in favor of security?
Hardly.
The biggest reason? It’s already too late. Just last year, Gartner predicted a massive 30 percent jump in IoT devices, resulting in about 6.4 billion in use worldwide. That figure is expected to hit 20.8 billion in about four years. The metaphorical robot butler has already left the factory, and people really, really like their robot butlers.
“There are more internet-connected things out there that no one thought of any security for,” John Bambenek, threat systems manager for Fidelis Cybersecurity, told Mashable.
He pointed to the number of devices that come with no apparent login. “You’re trusting these manufacturers to do this right. Like with [internet-connected] baby monitors, it’s not like I can open up the monitor and keyboard and patch it,” he explained.
Sometimes driven by design simplicity and other times by thoughtlessness, many IoT devices on the market today forego technical user control in favor of presenting a slick, easy to use product.
The Amazon Echo, one of the most widely used ‘internet of things’ devices used in the U.S.
Image: mashable
For example, Bambenek explained, “A treadmill that wants access to the internet so that you can track you workouts on a smartphone app — [the company] pays no attention to security, and leaves things wide open because some developer wants to have an easy backdoor to tweak things. Then, boom, it’s off to the market, and there’s no liability for the [manufacturer].”
But should some of the blame for this malicious leveraging of IoT fall on manufacturers?
“If you’re shipping enough devices that can be leveraged trivially to knock down Twitter? Yeah, there should be liability!” Bambenek said. “In the physical world, if you made a lawn mower that if you start it, one time out of 10 it leveled a city block, we’d be bankrupting that company. We’d be arresting the executives.”
The hit television show Mr. Robot toyed with the idea of IoT chaos in a recent episode, and it appears that fact is quickly overtaking fiction.
So with little hope of millions of IoT users suddenly becoming savvy hackers and securing their devices, it seems the only real hope of combating such massive DDoS attacks falls to the IoT industry itself. But, perhaps there’s yet another way.
Regulation is one possibility, and we need to get started. “They’re going to pump out [insecure] devices until they’re forced to do something different and I don’t see any change until congress [intervenes],” Bambenek said. “If there isn’t, and we can’t stop these devices from being used in attacks, there’s going to be somebody who writes malware that just bricks all these devices so that they can’t be used at all on the internet.
“In the absence of the rule of law, all you get left is tribal justice.”
“Tribal justice” in a space that IDC estimates will reach $1.7 trillion in value by 2020 doesn’t seem sustainable, so it’s likely that legislative and industry protocols will begin to address security holes that threaten to hobble a burgeoning tech sector.
However, in the absence of government-mandated rules, does that mean Friday’s DDoS-scuppered lawless internet is the new normal, at least for the time being?
“In the short term, yes,” said Bambenek. “At least for the next few months until we manage to figure out a way to fix this.”
