“National Treasure,” or a Worldwide Problem of Epic Proportions?
Another wild week on the Internet has led a lot of people to wonder whether their remote security cameras on their home, or their refrigerator, or both, have teamed up to join other household appliances to wage war over the Internet through high powered Distributed Denial of Service (or “DDoS”) attacks against high-value targets, like the website of the most famous Cybersecurity blogger today, Brian Krebs. Could this be true? Can your refrigerator be hacked and thereafter weaponized?
Well, not really. But, sort of. As one recent article noted: “Brian Krebs did a simple thing. He reported on the take-down of a distributed denial of service (DDoS) for hire group, vDOS, and the arrest of two of its Israeli teenage operators. The ensuing cyber temper tantrum, which was forensically linked to one of the teenagers, resulted in the largest DDoS attack on record and affected hundreds of businesses and thousands of users.” The IoT has been charged (rightly so) with a lot of things. Game-changer? Yes. Revolutionary? Yes. A Driver of Efficiency and Customer Experience? Of course. Co-conspirator? Well, that is a new one. Pan stage left to an FBI “America’s Most Wanted” Poster—at No. 3 is—your toaster.
So here is the problem. According to multiple press reports, two individuals, likely harnessing the power of hundreds of thousands of hacked IoT Devices took down Brian’s website, which was very well protected and sophisticated. The attack was recorded at 620 gigabyte per second, which was approximately twice the size as the then largest DDoS attack. Then days later, French web hoster OVH reported a DDoS attack of more than double the size of the Krebs attack.
In the necessary (and by the way, very successful) drive to better connect customers over the Internet with their appliances, their sellers, and their manufacturers, some manufacturers forgot one little point. Without sufficient precautions to harden their connections, some of these IoT devices have been found to be as porous to cyber attacks as a near-sighted hockey player. This one article raises the problem exactly better than I ever could:
“But by way of illustration for this point, compare a smart phone to an internet enabled-refrigerator. The smart phone can potentially do far more harm (it handles confidential data, banking credentials, passwords, it has a camera/microphone that could be abused, and it provides an ideal staging post to hack other devices, with a full operating system and both Wi-Fi and cellular internet access). However, by its nature, the smart phone is known from the outset to be potentially vulnerable, and not just by the manufacturer but the third party app providers and the users all appreciate that security is paramount. Therefore security measures are built-in and crucially, enabled and operated. Updates to protect against new vulnerabilities are applied automatically, and security beyond passcode protection is augmented with data encryption and cryptographically-signed software. By contrast, the fridge just gets unboxed and powered up. It most likely uses universal plug and play connectivity to make it easy to network and because there was little or no consideration to the need for security during its design, it is highly prone to compromise. But what harm can a fridge do? A Stuxnet takeover isn’t going to do the same amount of damage—maybe the milk will go off if the fridge thermostat is overridden?”
The cyber security of the Internet of Things is a complicated subject. The above DDoS attacks are really just the visible part of the iceberg that is floating to our shores. And truly it is an iceberg, because unlike many other types of cyberattacks, an attack on an IoT device (this time maybe it’s in a building, a manufacturing facility, or on the shop floor) could conceivably cause the loss of life or limb. Quite similarly, catastrophic consequences could also result if such an IoT or connected device was perhaps located in an airplane, automobile, or in a weapons system that got hacked and thereafter directed towards the civilian population. Taken to the logical extreme, rather than 150,000 devices, one could conceive of a DDoS commenced by millions of devices arranged in a lethal botnet that strikes “the right place at the wrong time,” causing catastrophe and chaos. Can a DDoS attack of epic proportions take down the Internet?
Let’s leave that question alone for the moment.
Fortunately some very smart people in government, like my friend Ronald Ross from the National Institute of Standards and Technology (the “NIST”), have prescribed new ideas and concepts for manufacturers of IoT devices that advise and caution them to think about cybersecurity first, and to build their devices so they are “secure by design.” Though the NIST guidelines are only guidelines today (and not law), it is hoped that they will change the way manufacturers think about and design IoT devices. Similarly, there are new initiatives within the Defense Department that require weapons and weapons systems to be cyber-hardened and secure by design. But what about the millions of devices already out there that are connected to the Internet? That truly is the problem, and the dilemma. With stronger malware detection capabilities, and strong cyber “assessment protocols,” many existing IoT-related problems can be discovered before they do any harm. For those business that rely on internet connected devices to run their buildings, manufacturing plants, and business that have not assessed their IoT devices, there are many cybersecurity consultants waiting to help and assist you. The cybersecurity of the IoT, however many billions of dollars in wealth and efficiencies of scale it has created, is a problem that we need to reckon with today. It cannot wait till something else bad happens.