Internet of Things security under scrutiny after home devices were turned into hackers for Friday's massive web attack
October is National Cybersecurity Awareness Month and, even though it may have been coincidental, hackers demonstrated why this is an important month when they executed an attack on October 21.
A DDoS attack on Friday underscores the importance of IoT security.
To wit: On Friday, cloud-based Internet performance management company Dyn said it came under attack by a large Distributed Denial of Service, or DDoS, attack against its managed DNS infrastructure in the US-East region.
Translation: Consumers saw outages on websites like Twitter, and a slew of others, reportedly including Spotify, Amazon, Reddit, Yelp, Netflix and The New York Times.
According to Forbes, White House Press Secretary Josh Earnest said the Department of Homeland Security is monitoring the attacks – and Politico reported the FBI is also involved as hacktivist groups Anonymous and New World Friday claim credit.
What happened exactly?
As Momentum CTO Jason Snyder explained it, the incident was a botnet attack that uses software that lies dormant until activated to turn individual devices into slaves of a master controller.
It’s the same basic idea as the attack in the first season of Mr. Robot. But, Snyder noted, what’s interesting here is that the attack involved a network of hardware devices like thermostats and printers that then make as many requests as they can to a specific address. This, in layman’s terms, is a DDoS attack.
“It’s like if the country of China came knocking on your front door, eventually the door breaks,” Snyder said. “That’s what’s happening. There are so many requests at same time, it fails.”
What does this mean?
And despite some reports that say this could be the beginning of a bleak future for us all, Snyder said his take is the attack is no a reason to panic just yet as there are plenty of protocols in place.
“After awhile, you can figure out where it’s coming from and it’s easy to shut down,” Snyder said “In the world of massive multiple player games, [there are guys] called griefers – they give people a hard time and make life miserable. This is kind of like trolling IoT devices.”
Or, to put it another way, Snyder said, “We have kids and when kids get sick, we say they’re upgrading their software. So I think next time, the software [in IoT devices] will get upgraded.”
What’s more, Snyder said, “We have so many other things to be concerned with than a botnet [shutting] down Twitter and Paypal for 15 minutes...these are not the launch codes. It is not a big deal.”
At the same time, like a homeowner having an open house in a neighborhood that has just been toilet papered, Snyder conceded this was an unfortunate incident for some parties and there was certainly some damage to, say, those who rely on Paypal to make a living.
Further, this type of attack could very well escalate from simple trolling to actual physical harm if it impacted critical infrastructure like dams, hospitals or air traffic control, Snyder said.
“You can get really dark with this really quickly,” Snyder added.
But he points to security profiles on IoT devices, which range from what he called soft to hard. Most IoT devices have soft security profiles now, but Snyder suspects we’ll see investment in hardening these security profiles in IoT devices moving forward.
“You have to take into consideration with open platforms and networks, the technology has surpassed legislation and morality,” Snyder said. “We’re in this weird space – it’s amazing and magical, but also [dangerous].”
In other words, the best response is to be cognizant of what devices you are putting in your home because connecting a device to a network changes its meaning. And consumers need to spend more time thinking about what can go wrong, Snyder said.
“You have to accept responsibility for the things you are connecting to a network. You don’t just drop your kid off at Chuck E. Cheese’s and drive away – you have a certain responsibility when you bring these things into your life and home.”
Drew Ianni, chairman of the IOT Influencers Summit, agreed the attack reinforces the need for the industry to focus on ensuring the tens of billions of connected devices are as secure as possible.
“There have been a myriad of hacks on emerging connected devices in recent months that specifically affected the individual device [such as cars, etc.], but today's attack also shows that IoT devices can be corrupted and leveraged by hackers to infect a related host device or system,” Ianni said. “It's the mother of all Trojan Horses and today, the hackers have truly upped the ante. The industry needs to respond swiftly and forcefully.”