The IoT and the day the Internet almost died
Just over a week ago, the Internet almost died.
As of Thursday, October 20, much of the US and parts of Western Europe experienced a massive outage. Some of the most popular and widely used websites in the world fell silent. Poor Donald Trump couldn’t tweet for a few hours.
And it was all down to cheap webcams and DVD players … maybe even one of their own.
To understand how this happened, you need to understand how Internet of Things (IoT) devices work.
If you are reading this, you have an internet connection. To make that connection, your computer or smartphone must have three things:
- A piece of hardware designed to connect to the Internet via cable or wirelessly.
- Software to run that hardware, containing your unique Internet “IP” address
- A way to differentiate between authorized and unauthorized connections
The last requirement is generally met with a username and password to connect to your Internet service provider. But it is also possible for other devices to remotely connect to your computer over the Internet – “incoming connections”. Some are good (eg incoming Skype calls) and some are bad (hackers). Having passwords for IoT devices accomplishes the same thing, but only if they are strong passwords.
The tech industry has worked hard to develop common techniques to identify and stop unwanted incoming connections to computers. Operating systems are constantly updated to deal with the latest threats. Specialized companies do nothing more than monitor viruses, bots, malware, and other dangers and design software to combat them. Guys like me write about how you can maintain good digital hygiene. This is why we have far fewer virus outbreaks than we used to.
When it comes to Internet connections, IoT hardware has pretty much the same setup. But there are three big differences.
One is that the username and password settings can be difficult to change; It may even have been configured by the manufacturer, as appears to have been the case with the devices that contributed to the recent internet outage.
Another is that IoT devices are always on and rarely monitored. Unlike a computer, they could get infected and you would never know it.
Above all, there is no collective effort to monitor and prevent hacking of IoT devices. Nobody sends general security updates, like an antivirus service from McAfee or Norton. They hypocrisy, since IoT devices are all different. There is no common language or protocol that can address threats to all IoT devices at once.
Instead, it is up to the manufacturer of each IoT device to protect the device and update its “firmware” when threats are known.
We tried that approach with computers … and it didn’t work.
How this led to last week’s outage
In the recent outage, IoT hardware made by a Chinese manufacturer, including cheap, packaged home security webcams advertised at Home Depot, was hacked by someone using software called Mirai. It searches the Internet for IoT devices that use default passwords or simple passwords, infects them, and then assembles them into a “botnet,” a collection of devices that can be made to fulfill the hacker’s wishes.
In this case, they instructed the IoT devices to send “tens of millions” of connection requests to the servers of a US company that provides crucial Internet routing information. Overwhelmed, the company’s servers crashed … and with it, the web pages of sites like Twitter, Facebook, The New York Times and others.
This was possible because the software running the Chinese IoT hardware used a single wired username and password to all of them, which the user could not change. Once the hackers got the username and password, it was easy to program them to do what they did.
Roland Dobbins, principal engineer at Internet security company Arbor Networks, blames this on the failure of manufacturers to work together to develop a common security approach to IoT. Instead, each company pursues its own designs and ignores the painful experience of the PC industry in this regard.
“I’m not worried about the future; I’m worried about the past,” he said recently. “If I could wave a magic wand, it would make there no insecure embedded devices. We still have a big problem; we still have tens of millions of these devices.”
Don’t disconnect from the IoT
Does this mean that positive predictions about the IoT are misplaced?
First, companies like Samsung, what they plan to do all Their products will soon be connected to the internet, they now have an incentive to develop ways to combat this. Otherwise, we will not buy your products.
Second, consumers are not going to tolerate a situation like the old Betamax war on VCRs: competing approaches to a common need. The IoT is a platform, like the Internet itself, and all must be in it. Manufacturers will sit down and come up with common protocols to secure IoT devices, even if they are kicking and screaming all the time.
Third, the same market forces that produced Norton, McAfee, Kaspersky Lab, and all the other security companies in the computing space are going to produce solutions for IoT. And there will be money to invest in them, as well as the IoT itself.
In the meantime, this is my advice. Get IoT devices … but only the best. Avoid cheap, mass-produced brand names. Ask vendors about security protocols and if you can easily set your own username and password. If not, stay away. They will get the picture soon.
After all, that’s the way “market forces” are of course to work.