IOT's Dirty Little Secret Is That Nobody Thinks About Security

The cyberattack that brought down Twitter, Reddit, Netflix, Amazon, Spotify, and scores of other popular websites a week ago will be the first of many, warn cybersecurity experts, because there’s no incentive for the electronics companies to make more secure devices.

“We’re seeing the emergence of an existential threat to the internet as we know it,” says Chris Finan, an expert who spent years in government cybersecurity, and who is now CEO and co-founder of Manifold Technology — a cybersecurity startup in California.

The company that manages those popular sites’ domains is Dyn. Dyn fell victim to a Distributed Denial of Service (DDoS) attack, which enlists internet-connected devices, from laptops to nanny cams, to send innumerable requests at the target’s servers, and thereby knock them offline.

“It’s like too many people talking at a cocktail party,” cybersecurity expert and Efflux Systems CEO and co-founder Mike McNerney tells Inverse. Due to the cacophony, no one voice can be heard. Until recently, these attacks were mere nuisances: It was relatively difficult to access large numbers of vulnerable devices, then enlist them in an organized attack. But these days, with the Internet of Things, more and more devices — “smart appliances” like refrigerators and coffee makers included — communicate with the internet.

Your nanny cam is the ideal DDoS recruit because it’s insecure and connected to the internet. For the consumer, these devices are wonderfully convenient. To cybersecurity experts, they’re a nightmare. Plus, “the tools of the trade are becoming cheaper, more readily available,” McNerney says. The particular malware used in the Dyn hack, nicknamed Mirai, is, as of early October, open-source: Any hacker can access it, then put it to work.

“We’ve only seen the tip of the iceberg, in terms of the capability,” Finan says. The botnet used in the Dyn hack, he says, “took advantage of a miniscule subset of devices, but it demonstrated, in my view, what’s possible. A more sophisticated group, or somebody simply building on Mirai, to make it broader in terms of the devices — that’s going to be really dangerous.”

Whodunit

There’s no clear culprit for the Dyn cyberattack, though security firm Flashpoint on Wednesday suggested it was merely the work of virtual pranksters. McNerney concurs with most analysts that a lone wolf is unlikely; while it’s only getting easier to perpetrate botnet attacks, it still requires resources and sophistication. Flashpoint argued that it was probably just trolls, and not a politically motivated group or nation-state. If so, we should not exactly be relieved: Soon enough, a politically motivated group or nation-state will employ these tactics, and will do so with greater efficacy.

“For this one in particular, who did it is less material than the capability itself, in terms of manifesting a risk,” Finan says. He mentions Ramzi Yousef, who carried out the 1993 World Trade Center bombing. “That demonstrated an intent, in that case — not necessarily the capability, but certainly the desire to bring down that sort of symbolic landmark,” he says. The new, easy-to-target symbolic landmarks are virtual. “I think Mirai is emblematic of, in my view, what we will see now evolve. And this IoT-based cannon for DDoS, to me, is just incredibly dangerous.”

The motive is also hard to pinpoint, though some experts suggest that the hack could be a trial run for election interference. McNerney is less worried about a cyberattack interfering with the election than he is about faith in the system. “A lot of these systems are not internet-connected, and you have to attack every county and every state. It would be an undertaking; I don’t even know if it’s actually possible,” he says. But rumors are already abound that Russia is fixing to interfere, and Donald Trump’s fear-mongering continues to test the public’s trust in the electoral system. Such propaganda, in conjunction with another big cyberattack — real or imagined — could be disastrous.

“You could see a situation where someone launches anything, and then, whether they did or not, Guccifer, or whatever, comes online and says, ‘I messed with the results in Ohio,’” McNerney says. “And people just believe it, and it causes a problem.”

The Future of the Internet (of Things)

IoT device owners probably do not wish to facilitate these attacks, but McNerney says, right now, they don’t have much of a choice. With laptops and computers — the old DDoS abettors — it’s relatively easy to rebuff hackers. The owner just needs to keep his or her software up to date, and run firewalls or antivirus programs. “Unfortunately, when it comes to your internet-connected devices,” McNerney says, “There’s not much for you out there. There’s no vendor, that I’m aware of, that sells patches for baby monitors. And the actual device manufacturers, themselves, typically have not put much effort into securing them either.”

The problem, in McNerney’s eyes, is twofold: First, IoT-makers aren’t willing to devote resources and time to secure their products if it means they’ll fall behind their competitors. Second, consumers aren’t willing to pay extra to ensure that their devices won’t be part of a coordinated cyber attack. Secure IoT devices will be slower to market and more expensive, which is a tried-and-true recipe for financial disaster. “There’s an incentive for a lot of these companies to overlook security, and maybe try to deal with it after the fact,” he says. And consumers don’t really seem to care. “Even though it’s a good idea, even though people really do need to secure their stuff — how much are you willing to pay to secure your baby monitor? Right now, people are willing to pay zero.”

Neither the consumers nor the manufacturers seem aware of how bad the situation has become. Two years ago, a Russian website started broadcasting streams from hundreds of thousands of unsecured baby monitors and security cameras. “There’s not really anything anyone can do about it because the device manufacturers don’t really take this seriously, and there’s no McAfee, there’s no Palo Alto Networks, there’s no FireEye for these internet-connected devices,” McNerney says.

There’s little incentive for electronics manufacturers to make more secure devices; cybersecurity companies, likewise, appear unmotivated. The money comes from businesses, not individuals. “Outside of Symantec and McAfee, maybe Kaspersky, every single one of them — and there are thousands of them — is focused on the enterprise. Businesses, banks, tech companies, healthcare companies, are spending money to secure their networks,” McNerney explains. Ordinary people are not so willing.

Is It Time for Government Regulation?

McNerney and Finan both believe — true to their backgrounds in government — that the real solution may have to come from the top, or from some collaborative public-private endeavor. “The one thing I know for sure is, there’s no way that you can scale up current mitigation approaches,” Finan cautions. “It becomes cost-prohibitive for any service provider. I don’t care how big you are. Even AT&T, even Verisign — they can’t absorb a scaled-up IoT cannon.” As it stands, the incentives do not exist. One solution could be to artificially create them. Another solution, which Finan is pioneering with Manifold Technology, is to leverage blockchain technology to decentralize cybersecurity and foster cooperation between now-vulnerable internet service providers.

Meanwhile, the IoT attacks will continue to intensify, and the exploits will continue to surface. The cybersecurity industry may need to take a cue from its enemies, and open-source its efforts. Finan is optimistic that the companies that maintain the internet will realize that it’s in their best interest to unite. The future of the internet, and the Internet of Things, depends largely upon one question, in Finan’s mind:

“Do the business leaders, do the strategic leaders, really appreciate the risk?”