In the wake of the massive DDoS attack on Domain Name System (DNS) provider Dyn, network administrators are tackling with how to better secure their networks against vulnerable IoT devices.
This past Friday, a DDoS attack was carried out targeting a critical point of failure for the Internet. A DNS is a system that translates human-readable domain names into the numerical IP address that direct the flow of traffic to specific servers. It’s basically the Internet’s switchboard operator.
If someone goes wrong at the DNS, browsers and other web-enabled systems will have a difficult time locating the server that hosts the information they need. Because so many websites rely on Dyn to direct this information, a disruption on their servers disrupts many websites at the same time.
This enabled attackers, which in this case appears to be the group “New World Hackers,” to essentially shut down dozens of the Internet’s most popular websites at one time. These sites include Amazon, Twitter, Reddit, Netflix, and more.
IoT: a tool of destruction?
What makes this attack especially troubling are the devices that were used to carry it out. All evidence points to Internet of Things devices as the tool of mayhem.
These devices exist in millions of homes around the United States and countless others worldwide. They include smart appliances like refrigerators, laundry machines, dishwashers, toasters, and more. Home security system and automated thermostats are also prime targets for malicious parties that want to add them to their growing botnets.
Distributed denial of service (DDoS) attacks involve a bunch of compromised systems that have been hijacked and added to a virtual swarm of zombie machines called a botnet. It can be impossible to tell whether or not your devices have been compromised as they work exactly as they normally would.
In the case of Friday’s attack, hackers used a piece of malware software called Mirai. This software scans the Internet for IoT devices that have basic security and are usually kept on their default administrative usernames and passwords. This enables the software to gain access to the device, upload its malicious code, and essentially hijack it.
The IoT is expanding rapidly. It’s becoming a common part of commercial networks, used in industrial applications. Smart televisions which are in many homes are actively communicating with the Internet and other devices on home networks around the world. The government uses smart city applications such as traffic sensors and wireless cameras to help municipalities run smoothly.
Solving the problem with IoT
This creates a whole new set of problems that security experts have been actively tackling for years. How do you secure something that is built to be simple to use? Simplicity and security are not great bedfellows. Devices will need more aggressive and solid security features on-board.
The Department of Justice warned of an insecure Internet of Things last month. This came just weeks before the Dyn attack that crippled some of the Internet’s most popular websites. A DDoS attack isn’t the same as a hack that infiltrates systems and compromises their data, but it does shed light on a very real security flaw on countless networks worldwide.
Many IoT devices are capable of being compromised with malware. This puts a compromised system on the same network with home personal computers, corporate servers, and even sensitive government data. Does this mean that your smart toothbrush is going to participate in the next big government email hack? No, but it does mean that maybe one shouldn’t be connected to a government network.
Users are another big obstacle. It’s hard enough to teach the average user to keep their PC’s operating system up-to-date – even when the notification is covering a large portion of their screen. Reminding them to regularly update their toaster is pretty much a lost cause.
So, that leaves us with a temporary and painful solution. Maybe we should think twice before we connect everything and anything to the Internet?
Reigning in the connected consumer madness
Don’t get me wrong. There are a lot of great IoT devices out there. I love self-driving cars and I couldn’t imagine life without my smart television.
The problem right now we’re in IoT overload. There are companies out there right now doing everything they can to make every object you interact with a part of the Internet.
Is there really any reason your toilet paper dispenser needs to be connected to the Internet? You can see, very clearly, that the roll is empty. You’re probably sitting there staring at it with the same panicked expression I do before checking the holder to make sure there is another roll at the ready.
Does your piggy bank really need to have a corresponding app that tells you how much is inside? There are plenty of non-Internet connected coin banks that will keep a tally of what’s inside for you without having to interface with your phone or the Internet.
Don’t get me started on smart water bottles. Have we become so distracted as a people that we can’t even remember to drink? How could we have survived for hundreds of thousands of years without technology that tells us that it’s time to take a sip?
We’re living in this world right now. A world where any and every company that produces a product is asking itself how they could integrate it into the Internet of Things.
In the words of Ian Malcolm, Jeff Goldblum’s character in Jurassic Park: “Your scientists were so preoccupied with whether or not they could that they didn’t stop to think if they should.”
The wave of the future?
The Internet of Things is the wave of the future. It’s a world of autonomous cars and intelligent sidewalks. It’s a grand scheme of a reality where our needs are met before we know we need them, and everyone has access to information whenever they need it.
During our journey to this future. It’s important that we balance the growth of this technology with its security. After all, if 30 million homes in the United States are going to be filled with smart devices in the next year, security shouldn’t be an afterthought.