How Your Internet-Enabled Device Could Be Hijacked to Launch Cyber-Attacks
Lack of security of the devices is a "market failure," expert says.
— -- Your internet-linked baby monitor may be participating in a major cyber-attack, and you don’t even know it.
While experts have been warning for some time that the proliferation of devices that make up the Internet of Things (IoT) -- like web-connected baby monitors, cars, smart speakers, DVRs and even cars -- posed a new threat in cyberspace, a major cyber-attack on Friday has given new impetus to calls to bolster the security of the devices, which are more popular than ever.
For several hours on Friday, a number of marquee internet brands, including Twitter, Reddit and Spotify, were rendered inaccessible by what security professionals believe is a newly emerging kind of cyber-attack that employs an army of infected home devices that can be used by cyber-criminals to launch attacks on the internet.
“Before Friday, there might have been a debate about whether or not IoT security is important,” Neil Daswani, Chief Information Security Officer at LifeLock, told ABC News today at a National Cyber Security Alliance conference that was dedicated to the issue.
“But after Friday, it’s pretty clear -- we need to focus on IoT security now,” Daswani said.
Officials at Dyn, the company that came under attack at least twice on Friday, said that they believe cyber-criminals used malicious software called “Mirai” to attack the company's servers, which were providing a service that helped consumers’ browsers connect to the popular sites.
Mirai, according to security experts, is used by cyber-criminals to infect devices with malicious code in order to build and control “botnets” -- armies of infected devices, which can be instructed by the criminals to launch attacks on targets of their choosing.
Upon instruction, each device -- which to the casual observer may appear to be working normally -- begins sending seemingly innocuous requests to a target.
While each device’s request would otherwise be insignificant, when large botnets -- made up of thousands or even millions of devices -- begin making simultaneous requests, it can overwhelm the target in what is called a Distributed Denial of Service (DDoS) attack.
Nick Weaver, a senior researcher at the International Computer Science Institute at University of California, Berkeley, explained it with a metaphor.
“Suppose you’re a company with a bank of 50 phones, and somebody instructs 10,000 devices to all dial your phone number at the same time," Weaver told ABC News. "It just overwhelms with traffic.”
While DDoS attacks are nothing new, the attacks on Friday mark the first time a headline-grabbing attack was perpetrated using botnets made up of internet-connected “things,” rather than computers.
Attacks like the one on Friday could just be the beginning, experts say.
Growing Threat
A report from market research firm Gartner at the end of 2015 forecast that 6.4 billion “connected things will be in use worldwide in 2016,” which marks a 30 percent jump from 2015. Looking ahead to 2020, the firm estimates there could be as many as 20.8 billion devices hooked up to the internet.
“You’ve got this whole new vector -- whole new way of attacking,” Eric Hodge, director of consulting at IDT911, a cyber-security consulting firm, told ABC News at today's conference. “You can use these devices that are almost completely unsecured ... and turn those into something that can anonymously attack.”
Writing on his website on Oct. 1, respected cyber-security expert Brian Krebs reported that the code for Mirai had be released onto the web by a pseudo-anonymous hacker for anyone to use, “virtually guaranteeing that the Internet will soon be flooded with attacks from any new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.”
With all of these unsecure devices hitting the market, the ability to launch new, larger attacks is showing up.
While the size of the data stream that was used in the attacks on Friday hasn’t been officially released, Andy Ellis, Chief Security Officer for Akamai Technologies, told ABC News that “we’re in this new era of attacks where the terabit attack shows up.”
He explained that five or 10 years ago, professionals worried about “gigabit attacks.” Today, they worry about attacks that are one thousand times larger.
‘Market Failure’
But despite the threat, security experts seem to be pessimistic about the chances that anything will be fixed in the short term.
“I’m skeptical that [a solution] is going to arise organically,” Ellis said in a phone interview. “When you look at the economics of it, the people who pay the cost to get the IoT into service or into production -- the manufacturer, the purchaser, and their internet service provider -- that’s very different than those that pay the costs of weak security in IoT, which is the targets of these attacks.”
“This is a case of market failure,” said Weaver, the expert at U.C. Berkeley. “The economic incentives in the current market actually favors insecure devices.”
In other words, because those who buy and make the insecure devices (consumers and manufacturers) do not bear the costs of lax security (as the companies on Friday did), there are no direct incentives to bolster security in IoT devices.
“You can think of it kind of like any environmental disaster,” Andrew Lee, CEO of cyber-security firm ESET North America, told ABC News at today's conference. “There’s a lot of other people affected by something that probably should have been secured in the first place. You can have this sort of collateral damage that’s happened.”
In an essay entitled The Democratization of Censorship, about how cyber-attacks could be used to silence speech, Krebs writes that to solve the problem of proliferating unsecure internet devices, "we probably need an industry security association, with published standards that all members adhere to and are audited against periodically."
He pointed to the certification that Underwriters Laboratories (UL) gave electronic devices, and said that "wholesalers and retailers of these devices might then be encouraged to shift their focus toward buying and promoting connected devices which have this industry security association seal of approval."