As we learned last month when New Hampshire networking powerhouse Dyn was swamped by rogue players, the Internet of Things is an unsecured mess that poses a real threat to everything online.
That is very bad, which is why you, a noble-minded and well-educated person (you are reading Granite Geek, after all), want to help limit the damage. So what should you do?
I asked that question of Andrew Sullivan, a fellow for Dyn in Manchester who responded, โThere are some practical things you can do.โ
Iโll discuss his email responses in a moment. First, a little background.
The Internet of Things (IoT for the cognoscenti) is a catchall phrase for the multitude of physical devices connected to the internet. Most are sold with the word โsmartโ in them โ smart light bulbs, smart thermostats, smart toasters (honest) โ and can be controlled remotely via a smart phone app and can share data online in ways that improve their performance.
This is good, because interconnected devices can be more efficient and important for such things as helping create the modern power grid. But itโs bad, because anything online is vulnerable to hacking. And itโs really bad because many IoT devices have poor security (good security is expensive and consumers are price-conscious) and internet-crawling software means these devices are easy to find.
And I do mean easy. A writer for the Atlantic set up an online toaster โ I donโt know why you want your toaster online, but anyway โ and it was hacked within five hours. Five hours!
Over the years, bad guys have snuck malicious software onto millions, probably tens of millions, of security cameras and web-connected printers and Wi-Fi routers and baby monitors, etc. They usually donโt do this so they can mess with the device; they do it do they can use the devices as launching pads.
On Oct. 21, millions of devices in whatโs called a botnet were used to launch a DDOS or packet-flooding attack on Dyn, sending so much online glop to the firm that it was overwhelmed. Its customers, including biggies like Twitter, Spotify and Reddit, were knocked offline because Dyn provides their โaddress book of the internetโ so when Dyn was down, your computer didnโt know where its customers were.
It took Dyn much of the day to recover, and the company is still doing analysis. Among other things, the culprit hasnโt been found.
But quite possibly some devices in your house โ yes, yours โ contributed to this DDOS attack, which brings us back to Sullivanโs advice on what we should do.
It boils down to two things, both (alas) annoying: passwords and updates.
Passwords
Yeah, I know. You hate worrying about passwords for websites and now you have to worry about passwords for your thermostat? Yes, you do.
โThe main thing is to change the default password on the device. Most devices come with some default password (like login โadmin,โ password โadmin,โ or something like that). Enormous numbers of devices are vulnerable just because of these default passwords,โ Sullivan wrote.
โItโs generally a good idea to change the passwords from time to time, and itโs really important to pick a strong password. A strong password has a mixture of letters, numbers, and special symbols, and itโs long. Length is more important than anything else, because brute-force attacks work faster against shorter passwords.โ
How do you keep track of all that? I tape a note with passwords on the outside of my router, because hackers arenโt going to break into my house, but Sullivan is more sophisticated.
โUse a password manager of some kind to keep these complicated passwords โ youโre not going to be logging in all the time, so you wonโt remember the password. Donโt re-use the same password over and over again, because if you do that means that if the password gets out from one system, all the other ones are compromised too.โ
Updates
โItโs hard to do this, but keep up to date on security patches for the devices. Better still, choose devices that automatically keep themselves up to date. And if the vendor goes out of business โ that has happened a lot with IoT devices โ consider replacing the device with something from another vendor. Vendors that are out of business donโt provide security patches.โ
That last comment leads to the big problem. Just as with the internet as a whole, security was not part of the initial design of the IoT, and weโre paying the price.
After the Dyn attack, for example, a Chinese firm called XiongMai Technologies recalled many thousands of its cameras and DVRs that were full of malware because of bad security โ not only were they shipped with an easy-to-guess password, but the password couldnโt even be changed by users.
Lousy design, but Iโll bet the devices were cheap, which is why so many people bought them.
Finally, I asked Sullivan how to tell whether weโre contributing to the problem โ that is, whether our devices are already infected.
โMost home routers will tell you something about the traffic theyโre handling, so you can watch that. If there is a spike in traffic, you might have an indicator of something,โ he wrote. โIf you do figure out that your device is part of a problem, turn it off. Of course, thatโs hard to do if itโs a light bulb or light switch or something of that sort.โ
โRealistically,โ he added, โmost people arenโt going to monitor their network this way, and I think we have to be aware of that and make the devices more secure by default.โ
Bingo. If security doesnโt make a difference to customers โ we canโt tell if itโs there and it doesnโt affect performance from our point of view โ then itโs futile to expect people to take much time improving it. Nor will we use it to make buying decisions, which mean market forces alone wonโt improve IoT security.
The only way IoT is going to become less of a dumpster fire is if governments step in with regulations and requirements for more secure devices.
That is becoming the reluctant conclusion of many in the online community โ a group that hates governments and regulation.
Consider Hiawatha Bray, the Boston Globeโs longtime technology writer (and the man with the coolest byline in New England, with the possible exception of Tux Turkel at the Portland Press Herald), who penned a piece lat week called โIs it time to lay down the law about cybersecurity?โ
โI donโt much care for internet regulation,โ he wrote. โBut Iโm hoping the mere suggestion of it throws a scare into some very smart engineers who will devise a far less intrusive way to protect us from internet attacks. Otherwise, our security woes will become so severe that weโll demand help from anyone, even Uncle Sam.โ
(David Brooks can be reached at 369-3313, dbrooks@cmonitor.com or on Twitter @GraniteGeek.)
