Earlier this month, a large domain name server (DNS) called Dyn suffered an enormous distributed denial of service (DDoS) attack which resulted in a lot of high-profile sites being down throughout the US. The case even prompted a federal investigation which is yet to be concluded, but initial reports suggest that the attack was conducted by a botnet. Simply speaking, a botnet is a network of hacked “zombie” devices programmed to do one thing – simultaneously request access to the same site which leads to a traffic bottleneck and results in an attacked DNS timing out. The malicious network in question was created by a known malware called “Mirai” which is programmed to target Internet of Things (IoT) devices like routers, webcams, and connected speakers by using their generic passwords assigned by manufacturers. In other words, one of the largest DDoS attacks in recent years wasn’t conducted through malware-infected personal computers; it was made possible thanks to IoT gadgets.
While one can be quick to blame people who failed to change default passwords of their new purchases, can an average consumer truly be at fault for a catastrophe of this magnitude? It’s not like any consumer electronics manufacturer realistically expects their customers to be incredibly tech-savvy to use their products, so why should makers of IoT devices be an exception? According to Steve Herrod, managing director at the US venture capital company General Catalyst – they shouldn’t. Herrod argues that the companies making IoT devices with identical hard coded root passwords should certainly take some heat for the Dyn attack in October but also points out a much larger issue – regulation. According to him, hoping that most IoT manufacturers will start investing more resources in increasing security of their products and directly cut their profit margins on their own isn’t a realistic scenario, which is why legislators must regulate the industry as soon as possible.
While Herrod is far from the first expert in the business to point out this connection, his argument certainly echoes with extra loudness when it’s made less than two weeks after the Dyn attack brought down the likes of Reddit, Twitter, and Spotify for hours. What’s worse, the entire ordeal was caused by a DDoS, hardly the most sophisticated form of hacking there is. In fact, considering the circumstances which led to the event, the Dyn attack was basically an equivalent of someone leaving their Twitter account logged in on a public computer and another person tweeting from their account saying that they’ve been hacked. Speaking from a pure security standpoint, having a default password is almost as bad as having no password at all seeing how default passwords are just one Google search away from malicious hackers.
In other words, Herrod asserts that IoT manufacturers are to blame for not keeping up with modern security practices and legislators should be held accountable for not making them do so. Provided that the latter pick up pace, General Catalyst executive proposed some general rules which should be enacted as quickly as possible. For starters, Herrod argues that we should take a page from hackers’ playbook and use the fact that a lot of IoT devices share similar software to our own advantage. In other words, he suggests manufacturers should be forced to share information about vulnerabilities and fixes between themselves which would likely facilitate the average process of developing and distributing security updates for smart apparatus.
The second proposed change has to do with the default passwords mentioned above – they need to be eliminated for good. For extra security, users should be required to input an even more secure password the first time they power on their smart speaker, connected lock, intelligent fridge, or whatever else it is that they’ve bought and not bothered securing on their own. Thirdly, manufacturers should be held accountable for notifying their consumers of known vulnerabilities which have yet to be fixed and advise them on how to proceed until all issues have been resolved. It’s important to note that the companies’ should be required to actively push alerts to consumers, and not just post warnings on their websites which the average user won’t check on.
Last but not least, Herrod points out that a lot of “modern” IoT devices still don’t feature automatic updates. Sure, that’s only true for low-end hardware, but it still sounds silly that not every digital video recorder that’s constantly connected to the Internet isn’t using that connection to search for security updates on a regular basis. The average consumer can’t be expected to continuously scan for updates even if they’re aware of potential software vulnerabilities and manufacturers must be required to offer appropriate support for their products. After all, selling an IoT gadget isn’t identical to selling something like a bag of cement – you’re not retailing a resource or even a tool, you’re selling an entire experience and that experience should certainly include regular and automatic software updates.
These are all valid suggestions which will hopefully be adopted by legislators sooner rather than later. With the IoT industry growing at a rapid pace, security practices must keep up with it, or attacks such as the one on Dyn will keep happening, except they’ll likely become more frequent and impactful. Can you imagine a future in which your entire house, garage, and personal car are one default password or an old security vulnerability away from becoming a part of a malicious botnet programmed to take down parts of the Internet? That certainly doesn’t sound like the technological revolution IoT companies have been promising, and as self-regulation doesn’t seem to be a viable option, legislators must act as quickly as possible.