“Give me a lever long enough and a fulcrum on which to place it, and I shall move the world.” Archimedes died in 212 BC. There’s no way he could have predicted the Internet of Things. But he did.
Three unknown twenty-somethings said give us vulnerable home routers and DVR’s and we’ll take down the internet.
They nearly did with the Mirai botnet, and the trouble is just starting.
In the beginning
Paras Jha, Josiah White, and Dalton Norman (not exactly household names before December 8, 2017) used code to scan the internet looking for poorly protected devices. Things like home routers, internet cameras and DVR’s.
{mosads}And breaking into them was too easy. It was too much trouble to allow customers to change the default usernames and passwords. The manufacturers of the offending devices hardcoded them instead. Too few devices allow consumers to change these settings.
Instead, highly secure and complex usernames and passwords were used. Like “admin”, “Admin”, and “root”. Combine these with “admin”, “123456”, “1234”, and the unheard of “4321”. You can see why taking over a global network of these devices was easy at first.
Imagine buying a car and any key would work. Or going up and down your neighborhood, only to discover your house key worked in 80 percent of all locks.
Now imagine plugging in a device on your home network, only to have it compromised in minutes and used to take down large swaths of the internet. The difference is I can only unlock one car or house at a time versus hundreds of thousands of vulnerable devices.
An attack on October 21, 2016 against Dyn involved over 100,000 malicious devices (endpoints) by an operation called Distributed Denial of Service (DDoS). A DDoS attack is an assault by an army of digital ants (infected devices). By unleashing a massive torrent of malicious traffic, sites are unable to process all the bad requests and fail.
Dyn provided the services that translate the domain name (e.g. morganwright.us) into an Internet Protocol (IP) address needed to connect over the internet (e.g. 77.104.136.91). No one will remember a long string of numbers, which is why we use domain names like TheHill.com.
A list of the domains affected are here. The big names include Amazon, Airbnb, CNN, Comcast, Fox News, Mashable, Netflix, The New York Times, Pinterest, Reddit, Spotify, Starbucks, Twitter, Verizon, The Wall Street Journal, Xbox Live and numerous others.
Analyst firm Gartner predicts that twenty billion IoT devices will be on the internet by the year 2020.
That’s billion with a capital B for Big Trouble.
National security implications
The map below shows the outage resulting from the DDoS attack against Dyn in 2016. How many hospitals, police and fire departments, military installations, banks, schools, businesses and more are covered by the outage? What about the energy grid?
The point is that poorly secured technology — a vast majority of it from overseas — is being cobbled together to form a massively destructive cyber weapon being aimed at the United States. IoT is taking slingshots and turning them into missiles.
New variants of Mirai keep springing up. And the new threat is bigger than the old one. “Okiru” targets devices that have ARC processors, and function like tiny computers. Thank goodness it only targets 1.5 billion IoT and embedded systems products each year.
If 100,000 devices can take out Dyn and scores of businesses, imagine what a million devices could do if their collective digital firehose was pointed at sensitive critical infrastructure.
Beyond that, devices that leak information are as dangerous. Fitness trackers seem harmless, until they are paired with software that collects and aggregates activity. The result?
We now know where soldiers in Kandahar, Afghanistan, go jogging. According the Washington Post, it took a 20-year-old Australian student to discover what had escaped the Department of Defense.
The wild wild West
There needs to be a new sheriff on the internet, here and abroad. This sheriff should come with standards for promoting better security, and sanctions for outlaws.
On the one hand, the Federal Trade Commission is trying to create new technologies to help consumers “…guard against security vulnerabilities in software found on the Internet of Things (IoT) devices in their homes.” On the other hand, Congress is doing what they do best — introducing a bill.
The “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” was introduced by Senator Mark Warner (D-Va.) on August 1, 2017, with four co-sponsors. The bill was promptly referred to the Committee on Homeland Security and Governmental Affairs, where it sits today.
The Internet moves at light speed, while rule making is glacial. Government is always fighting the wars of yesterday tomorrow. When the Equifax data breach was reported on July 29, 2017, a Congressional hearing was held October 3, 2017.
Yet, a bill to strengthen the responsibility and liability of companies dumping highly vulnerable consumer products on the market is stuck in Dante’s First Circle of Hell (limbo).
Apparently, there’s not a lever big enough to move Congress.
Morgan Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. He’s currently a Senior Fellow at the Center for Digital Government. Previously Morgan was a senior advisor in the U.S. State Department Antiterrorism Assistance Program and senior law enforcement advisor for the 2012 Republican National Convention. Follow him on Twitter @morganwright_us.