The internet was designed to withstand a nuclear attack. But its creators never imagined that baby monitors, toasters and smart TVs could bring it to its knees. We need to make sure that the devices that make up the internet of things can’t be used in the kind of attack that almost broke the internet late last month.
For reasons that I will explain later, that probably means regulating the devices.
First, though, some internet history. At the height of the Cold War, in the early 1960s, the RAND Corp.’s Paul Baran set out to design a military network that could survive a nuclear attack. He wanted to ensure that endpoints could communicate with one another in the face of catastrophic damage wreaked by nuclear weapons. His idea: build a widely distributed, packet-switching network that could route communications around destroyed hardware.
Others had similar ideas, and a lot of idealism was baked into these early internet proposals. J.C.R. Licklider wrote a series of memos laying out his vision for a world-spanning network, to be called the “Intergalactic Computer Network.” The network, he said, should be “an electronic commons open to all” and “the main and essential medium of informational interaction for governments, institutions, corporations, and individuals.” Based in large part on Licklider’s work, the U.S. Defense Department's Advanced Research Projects Agency (ARPA) funded a packet-switched network that eventually became the internet.
Openness, anonymity and freedom from government regulation were at the core of what was built. But now, with countless IoT devices that can easily be weaponized, we’re starting to suffer from that hands-off attitude. The idealism that built the internet also endangers it and opens it up to crippling attacks.
That was made clear in late October when a massive DDoS attack on DNS provider Dyn brought down wide swaths of the internet and disabled dozens of websites, including Twitter, Netflix, Spotify, Airbnb, Reddit and The New York Times. Playing a big role in the attack was a botnet composed of IoT devices infected by Mirai malware. An estimated 500,000 IoT devices, such as security cameras and DVRs, are infected with Mirai, and approximately 10% of them were used in the October attack. In all, Dyn says that 100,000 devices were used in the attack.
The Dyn incident is only the latest in a string of IoT cyberattacks. In late September, an IoT botnet composed of 145,607 hacked digital video recorders and IP cameras targeted the French hosting service OVH. Also in September, a Mirai botnet was used to attack the Krebs on Security website.
Source code for Mirai has been published online, along with step-by-step instructions on how to use it. And reports say that IoT botnets are available for rent, making it even easier for someone to launch an attack. Dale Drew, CSO of Level 3 Communications, said that in the Dyn incident, “We believe that there might be one or more additional botnets involved in these attacks. This could mean that they are 'renting' several different botnets.”
IoT devices are particularly vulnerable to infection with malware such as Mirai. Users may not even realize the devices have passwords and so never change the defaults. They may not pay attention to updating the devices with security patches.
Ideally, having seen the potential for catastrophe, the makers of IoT devices would take steps on their own (or better yet, as a group) to boost security. But that isn’t likely to happen. IoT devices are price-sensitive —manufacturers won’t spend money on security if they don’t expect to be able to compete with the companies that ignore it. In addition, makers of consumer devices such as refrigerators and video recorders don’t have enough people with security expertise on staff.
The consequences of this go beyond the internet itself. Sanjay Sarma, a professor of mechanical engineering at MIT and IoT expert, told Computerworld’s Patrick Thibodeau, "This is just the beginning. There's more coming, sadly — perhaps a power plant." Given that medical devices are internet-connected, they can be hacked as well, with catastrophic consequences. Former Vice President Dick Cheney told 60 Minutes that his doctors had the wireless capabilities of his heart implant disabled because they feared it could be used in an attempt to assassinate him.
For all these reasons, the government needs to step in and enact security regulations for IoT devices. Mikko Hypponen, chief research officer for F-Secure, told Business Insider, “We're regulating things on appliances anyway. They should not be able to give you an electric shock, they should not catch fire.” To that list, he adds, “They should not leak your WiFi password either.” Basic regulations could include a requirement that consumers must change the default password in IoT devices before they can be used, for example. Laws can be enacted that levy civil and criminal penalties on companies that build insecure devices. The devices can be required to have a base level of security built in.
Some people argue that U.S. regulation won’t solve the problem because many of the devices are made by foreign manufacturers. But the U.S. is such a massive market that companies will have a big incentive to adhere to its regulations rather than forgo a chance to sell here.
Government regulation of tech should always be a last resort. But when it comes to IoT, we’ve already gone beyond the last resort. It’s time to crack down on IoT devices for a safer internet and a safer society.