Huge security flaws are being ignored by manufacturers—and are not easy to fix.
By Rick Paulas
Picture our beloved Internet as a massive luxury cruise ship navigating the world’s icy waters. Stationed on the bottom deck is a bonafide navigational expert making sure everything is OK. This person has all the gadgets: radar, sonar, charts, compasses, ring dials, chronometers. He can chart a path through the thickest of fogs, no sweat at all.
One night, after examining the path, the navigator sees a field of icebergs straight ahead. These are the huge security flaws in smart televisions, cameras, dishwashers, cars, and everything else that makes up the expanding roster of devices known as the Internet of Things.
“We have to change course,” the experts says.
“OK, OK,” everyone says. “We will.”
But no one does. And the ship continues moving in the same direction. After days and weeks of warnings, the ship finally hits the first, small iceberg. Saucers go flying and surf-and-turf dinner carts roll off the deck and into the sea. This was the DDoS attack back in October that took down huge chunks of the Internet for a day.
“What do we do now?” everyone asks the expert. “How do we fix this?”
The expert looks around. The ship is surrounded by miles and miles of icebergs, their sharp points poking out of the surface as far as the eye can see.
“When you look at the Internet as a whole, it was never constructed to be secure,” says James Scott, a senior fellow at the Institute for Critical Infrastructure Technology. “But now you have insecure devices being networked to an insecure Internet.” In fact, despite the massive effects that the October effect had, the tactics used to make it possible were elementary. “It was not sophisticated,” Scott says. “All [the hacker] did was focus on very pronounced vulnerable devices, and used them to drive traffic wherever they wanted.”
Rather than the attack being successful due to the hacker’s technical proficiency, it was really only successful because of the number of IoT devices currently out in the world. According to Gartner, there are more than 6.4 billion IoT devices in use — a number expected to rise to 50 billion by 2020. That’s an estimated 4,000 new devices installed every day, roughly 186 of which are vulnerable to malware used in the October attack. It’s not surprising, then, that DDoS attacks rose 71 percent between Q3 of 2015 and Q3 of 2016.
Something that makes the IoT problem different from other security problems is that there’s really no sound way to add security to the devices already out there.
“If you look at your PCs or other devices, they have the ability to install software after the fact by the consumer,” says Alan Grau, president of Icon Labs, a provider of IoT security. “With the IoT, that’s generally not the case.”
There are few updates or patches that provide stronger security measures. If there’s an option to change the device’s password, then, yes, the consumer can (and very much should) do so. But many devices don’t even have that option, or, if they do, it’s too complex for the average consumer.
“Part of the problem is the cost of the security flaw is not born by the person building the product,” Grau says. If a botnet infects a bunch of smart TVs that are then used in a DDoS attack to knock banking institutions offline for a day, that hurts their businesses, but it doesn’t really hurt those “real-life” producers constructing the products. “That’s why regulations are required to create an incentive.”
Meaning, it’s on legislatures to come up with stricter laws that keep these devices off the market until they have stronger security. But, if you haven’t noticed, legislatures have had their hands full with, well, a whole lot.
“The conversation hasn’t even gotten to the hill because [the Mirai attack] happened during the elections,” Scott says. “The hill is slow to evolve because they think additional standards will somehow snuff out the entrepreneurial marketability. But security-by-design as an enforceable standard is no different from car manufacturers having to include brakes on their vehicles.”
The manufacturers won’t do anything until their hand is forced. And the consumers can only do so much. We’re all left floating in the iceberg field, waiting for the big one to crack the hull.
When I ask Grau to predict the future of these attacks, he mentions the possibility of hackers using ransomware to infect a bunch of devices and then telling the manufacturers to pay up or face the consequences. (Something like this was attempted back in November with the cyber hijacking of San Francisco’s light-rail MUNI system.)
“I think we need to see a huge disaster for people on the hill to start enforcing standards,” Scott says. Say, if a botnet were to take down an electrical grid in the dead of winter. Or shut down the power to a hospital. Or exploit features in smart cars while they’re in motion, causing accidents on the road. Unfortunately, it seems like a big disaster like this isn’t just inevitable, but necessary before regulatory measures are introduced.