The Internet of Things (You can’t trust)


Make that can’t and shouldn’t. Turns out those “things”—products that can network and communicate with each other through the internet, are amoral.  Big surprise, right?  “Things” lack a moral code, and can be bent to the side of evil rather readily. Ten days ago a distributed denial of service (DDOS) attack took down a major part of the internet for most of the Eastern seaboard. We soon learned we were being victimized by an army of infected “things” that had been commandeered and sent off to attack a critical link in the internet infrastructure, a company named Dyn. Dyn’s ability to handle internet traffic was halted by an avalanche of requests generated by an estimated 100,000 internet devices…things. Sites that were affected included such notables as PayPal, Twitter, Reddit, GitHub, Amazon, Netflix, and Spotify.

Writing in PC Magazine, software analyst Max Eddy takes to task the appalling failure of the manufacturers of products that comprise the Internet of Things to embrace security. ”Instead of controlling access to the device, and employing best practices learned from connecting billions of computers and phones over the course of decades, manufacturers rushed cheap products to market. Ones that were designed, in some cases, to never be serviced, upgraded, or patched. And even if problems could be addressed, it is, arguably, not reasonable to expect individuals to treat labor-saving devices the same way they do computers. The vast majority of consumers assume, and rightly so, that if a device does not have a screen or some kind of input method, it is not intended to be serviced by them.

What’s the dimension of the problem? Gartner estimates that 6.4 billion connected things are being used worldwide in 2016, and forecasts that number to reach 20.8 billion by 2020. That sort of growth means millions of new “things” would get connected to the internet every day, and there are estimates from others that suggest the IOT could have 40-50 billion devices by 2020. That’s a lot of connectivity, and a heckuva pool from which to draft an army.

To the uninitiated, the internet of things seems somewhat esoteric. We may not fully appreciate precisely how we fit into the IOT. Well, one of the big thing/culprits in the DDOS attack on Dyn was cctv cameras, the kind of cameras widely used in surveillance systems. But forget about coordinated traffic lights or sensors in critical infrastructure, think smart watches, fitness trackers, garage door openers, wireless routers, tablets, cell phones, lighting systems, smart refrigerators and even next-gen toasters. The list is ever expanding, and they all add convenience at the expense of security.

Check this catch from Cory Doctorow. “The Atlantic’s Andrew McGill set up a virtual server on Amazon’s cloud that presented to the internet as a crappy, insecure Internet of Things toaster; 41 minutes later, a hacked IoT device connected to it and tried to hack it. Within a day, the “toaster” had been hacked more than 300 times.”

If we don’t get this problem under control, we may all be toast.

By Tom Davis, SDI Cyber Risk Practice

November 1, 2016