A little over a week ago, the Internet almost died.
Starting on Thursday, October 20, much of the U.S. and parts of Western Europe experienced a massive outage. Some of the most popular and heavily used websites in the world went silent. Poor Donald Trump couldn’t tweet for a few hours.
And it was all because of cheap webcams and DVD players … perhaps even one of yours.
To understand how this happened, you need to understand how Internet of Things (IoT) devices work.
If you’re reading this, you have an Internet connection. To make that connection, your computer or smartphone needs to have three things:
- A piece of hardware designed to connect to the Internet through a cable or wirelessly
- Software to run that hardware, which contains its unique Internet “IP” address
- A way to tell the difference between authorized and unauthorized connections
The last requirement is typically met by a username and password to connect to your Internet service provider. But it’s also possible for other devices to connect remotely to your computer across the Internet — “incoming connections.” Some of those are good (e.g., incoming Skype calls), and some are bad (hackers). Having passwords for IoT devices achieves the same thing — but only if they’re strong passwords.
The tech industry has worked hard to develop common techniques to identify and stop unwanted incoming connections to computers. Operating systems are constantly updated to deal with the latest threat. Specialized companies do nothing but watch for viruses, bots, malware and other dangers and design software to fight them. Guys like me write about how you can maintain good digital hygiene. That’s why we have far fewer virus outbreaks than we used to.
When it comes to Internet connections, IoT hardware has pretty much the same setup. But there are three big differences.
One is that the username and password setup may be hard to alter — it may even be hardwired by the manufacturer, as seems to have been the case with the devices that contributed to the recent Internet outage.
Another is that IoT devices are always on and rarely monitored. Unlike a computer, they could be infected and you’d never know.
Above all, there is no collective effort to monitor and prevent hacking of IoT devices. Nobody is sending out general security updates, like a McAfee or Norton antivirus service. They can’t, since IoT devices are all different. There’s no common language or protocol that could address threats to all IoT devices at once.
Instead, it’s up to the manufacturer of each IoT device to secure the device and to update its “firmware” when threats become known.
We tried that approach with computers … and it didn’t work.
How This Led to Last Week’s Outage
In the recent outage, IoT hardware made by a Chinese manufacturer — including those cheap bundled home-security webcams you see advertised at Home Depot — was hacked by someone using software called Mirai. It searches the Internet looking for IoT gadgets that use default passwords or simple passwords, infects them and then assembles them into a “botnet”— a collection of devices that can be made to do the hacker’s wishes.
In this case, they instructed IoT devices to send “tens of millions” of connection requests to the servers of a U.S. company that provides crucial Internet routing information. Overwhelmed, the company’s servers crashed … and with it, the Web pages of sites like Twitter, Facebook, The New York Times and others.
This was possible because the software running the Chinese IoT hardware used a single hardwired username and password for all of them — which couldn’t be changed by the user. Once the hackers got the username and password, it was easy to program them to do what they did.
Roland Dobbins, principal engineer of Internet security company Arbor Networks, blames this on the failure of manufacturers to work together to develop a common security approach to IoT. Instead, each company pursues its own designs and ignores the PC industry’s painful experience in this respect.
“I’m not concerned about the future; I’m concerned about the past,” he said recently. “If I could wave a magic wand, I would make it so there are no unsecured embedded devices out there. We still have a huge problem; we still have tens of millions of these devices out there.”
Don’t Disconnect From the IoT
Does this mean that Paul Mampilly’s positive predictions about the IoT are misplaced?
Not at all.
First, companies like Samsung, which plans to make all its products Internet-connected soon, now have an incentive to develop ways to fight this. Otherwise we won’t buy their products.
Second, consumers aren’t going to stand for a situation like the old Betamax versus VCR wars — competing approaches to a common need. The IoT is a platform, like the Internet itself, and everyone needs to be on the same one. Manufacturers will sit down and come up with common protocols to secure IoT devices, even if they’re kicking and screaming all the way.
Third, the same market forces that produced Norton, McAfee, Kaspersky Lab and all the other security companies in the computer space are going to produce solutions for the IoT. And there will be money to be made investing in those as well as the IoT itself.
In the meantime, here’s my advice. Buy IoT devices … but only the top of the line. Avoid cheap mass-produced off-brands. Ask salespeople about security protocols and whether you can set your own username and password easily. If not, walk away. They’ll get the picture soon enough.
After all, that’s the way “market forces” are supposed to work.
Editor, The Bauman Letter