The Impending Crisis of the Internet of Things By Rick Paulas
Huge security flaws are being ignored by manufacturers—and are not easy to fix
Picture our beloved Internet
as a massive luxury cruise ship navigating the world’s icy waters. Stationed on
the bottom deck is a bonafide navigational expert making sure everything is OK.
This person has all the gadgets: radar, sonar, charts, compasses, ring dials,
chronometers. He can chart a path through the thickest of fogs, no sweat at
all. One night, after
examining the path, the navigator sees a field of icebergs straight ahead.
These are the huge security flaws in smart televisions, cameras, dishwashers,
cars, and everything else that makes up the expanding roster of devices known
as the Internet of Things.
“We have to change
course,” the experts says.
“OK, OK,” everyone
says. “We will.”
But no one does. And
the ship continues moving in the same direction. After days and weeks of
warnings, the ship finally hits the first, small iceberg. Saucers go flying and
surf-and-turf dinner carts roll off the deck and into the sea. This was the
DDoS attack back in October that took down huge chunks of the Internet for a day.
“What do we do now?”
everyone asks the expert. “How do we fix this?”
The expert looks
around. The ship is surrounded by miles and miles of icebergs, their sharp
points
poking out of the surface as far as the eye can see. “When you look at the
Internet as a whole, it was never constructed to be secure,” says James Scott,
a senior fellow at the Institute for Critical Infrastructure Technology. “But
now you have insecure devices being networked to an insecure Internet.” In
fact, despite the massive effects that the October effect had, the tactics used
to make it possible were elementary. “It was not sophisticated,” Scott says.
“All [the hacker] did was focus on very pronounced vulnerable devices, and used
them to drive traffic wherever they wanted.”
Rather than the attack
being successful due to the hacker’s technical proficiency, it was really only
successful because of the number of IoT devices currently out in the world. According to
Gartner, there are more than 6.4 billion IoT devices in use — a number
expected to rise to 50 billion by 2020. That’s an estimated 4,000 new devices
installed every day, roughly 186 of which are vulnerable to malware used in the
October attack. It’s not surprising, then, that DDoS attacks rose 71 percent
between Q3 of 2015 and Q3 of 2016. Something that makes the
IoT problem different from other security problems is that there’s really no
sound way to add security to the devices already out there.
“If you look at your
PCs or other devices, they have the ability to install software after the fact
by the consumer,” says Alan Grau, president of Icon Labs, a provider of IoT
security. “With the IoT, that’s generally not the case.”
There are few updates
or patches that provide stronger security measures. If there’s an option to
change the device’s password, then, yes, the consumer can (and very
much should) do so. But many devices don’t even have that option, or, if
they do, it’s too complex for the average consumer. “Part of the problem
is the cost of the security flaw is not born by the person building the
product,” Grau says. If a botnet infects a bunch of smart TVs that are
then used in a DDoS attack to knock banking institutions offline for a day,
that hurts their businesses, but it doesn’t really hurt those “real-life”
producers constructing the products. “That’s why regulations are required to
create an incentive.”
Meaning, it’s on
legislatures to come up with stricter laws that keep these devices off the
market until they have stronger security. But, if you haven’t noticed,
legislatures have had their hands full with, well, a whole lot... read more: