In the rush to connect ever more devices to the worldwide web, security seems to have been forgotten along the way. Laurence Marchini explains why this may be a problem.
Make no mistake: the Internet of Things is big… mind-bogglingly big. There have been a number of predictions, and most seem to agree that the IoT will comprise more than 50 billion devices by 2020, and there is nothing to say that number will not continue to rise.
Now, here’s the worrying part. This growth in the numbers of connected devices clearly implies that “things” ever further down the digital food chain will become connected. And many of these things – be they domestic refrigerators, electric kettles, pop-up toasters or even curling tongs – will not be connected with any regard to security. (After all, who cares if their toaster is hacked? What’s the worst thing that could happen?)
Well, the worst thing that could happen has nothing to do with burnt toast. It is not so much the toaster that is under threat, it is more to do with anything that is connected to the toaster. And bearing in mind we are talking the Internet of Things, the toaster is potentially connected anywhere and everywhere.
Two potential “doomsday scenarios” come to mind.
Take the case of the US manufacturer that was in the process of building a manufacturing plant in China, and thought it would be a good idea to set up webcams so that everyone back home could follow the progress of the project.
According to an executive from the company concerned when interviewed for the 2016 Deloitte report on cyber risk in advanced manufacturing: “They put the live feed on the Internet, but did not realise this rendered it/us as a target. It was hacked. It was brutal.”
While this case illustrates the potential for a connected device to provide a conduit into a company’s systems, it would all have been avoidable if suitable security had been in place to detect and stop the intrusion.
But what if the “dumb” thing could be taken over and used for a different purpose?
Think back to the evening of 9th August 2016 when the Australian Bureau of Statistics’ website was very publicly brought to its knees just when the majority of the country’s population was attempting to complete the national census of population and housing. The cause of the crash was claimed to be a DDoS attack – distributed denial of service – in which the ABS website was bombarded with small amounts of data from a huge number of sources.
Traditionally, these sources have been personal computers infected with malware that enables them to be remotely controlled by the perpetrator of the DDoS attack. With tens of thousands of infected computers (known as a botnet) participating in any given attack (without their owners’ knowledge), the resulting data stream of the attack can reach into the hundreds of gigabits per second – enough to bring down even the most robustly protected sites.
Cue the Internet of Things. And while the things are dumb, they can still be used to wage the war. Worse, because they are so dumb they have little or no security.
The key culprits identified to date are surveillance cameras, baby monitors and digital video recorders, many of which come with security based on default usernames and passwords that is all too simple to exploit. And this weak security has already been exploited by a piece of malware named Mirai, which is reckoned by now to have infected more than half a million such devices.
As the Mirai botnet of IoT devices grows, so the severity of DDoS attacks should grow. However, it does appear that this particular malware is becoming a victim of its own success. The source code for Mirai is freely available on the Internet, and now hackers are competing to recruit devices to their botnets.
But what is the motivation? Why do DDoS attacks happen?
These botnets of infected devices are quite literally “guns for hire”, and can be recruited to take down a competitor’s online presence for a surprisingly small amount of money.
Many attacks, particularly those with a high profile, are carried out simply to show that it can be done. Some are more commercially motivated, either to take out the competition or literally for ransom. Others have been known to be even more nefarious, with the attack serving as a smokescreen to cover other directly targeted hacking activities.
Fortunately, the lessons appear to have been learnt to some extent, and each of the wireless technologies competing for the attention of IoT device developers comes with at least a rudimentary level of inbuilt security.
However, just as the need for data protection in the world of desktop computing gave rise to a whole industry of digital security, which shows no sign of diminishing in size or importance, it is most likely that securing the Internet of Things will prove to be another never-ending task.