As we learned last month when New Hampshire networking powerhouse Dyn was swamped by rogue players, the Internet of Things is an unsecured mess that poses a real threat to everything online.
That is very bad, which is why you, a noble-minded and well-educated person (you are reading Granite Geek, after all), want to help limit the damage. So what should you do?
I asked that question of Andrew Sullivan, a fellow for Dyn in Manchester who responded, “There are some practical things you can do.”
I’ll discuss his email responses in a moment. First, a little background.
The Internet of Things (IoT for the cognoscenti) is a catchall phrase for the multitude of physical devices connected to the internet. Most are sold with the word “smart” in them – smart light bulbs, smart thermostats, smart toasters (honest) – and can be controlled remotely via a smart phone app and can share data online in ways that improve their performance.
This is good, because interconnected devices can be more efficient and important for such things as helping create the modern power grid. But it’s bad, because anything online is vulnerable to hacking. And it’s really bad because many IoT devices have poor security (good security is expensive and consumers are price-conscious) and internet-crawling software means these devices are easy to find.
And I do mean easy. A writer for the Atlantic set up an online toaster – I don’t know why you want your toaster online, but anyway – and it was hacked within five hours. Five hours!
Over the years, bad guys have snuck malicious software onto millions, probably tens of millions, of security cameras and web-connected printers and Wi-Fi routers and baby monitors, etc. They usually don’t do this so they can mess with the device; they do it do they can use the devices as launching pads.
On Oct. 21, millions of devices in what’s called a botnet were used to launch a DDOS or packet-flooding attack on Dyn, sending so much online glop to the firm that it was overwhelmed. Its customers, including biggies like Twitter, Spotify and Reddit, were knocked offline because Dyn provides their “address book of the internet” so when Dyn was down, your computer didn’t know where its customers were.
It took Dyn much of the day to recover, and the company is still doing analysis. Among other things, the culprit hasn’t been found.
But quite possibly some devices in your house – yes, yours – contributed to this DDOS attack, which brings us back to Sullivan’s advice on what we should do.
It boils down to two things, both (alas) annoying: passwords and updates.
Passwords
Yeah, I know. You hate worrying about passwords for websites and now you have to worry about passwords for your thermostat? Yes, you do.
“The main thing is to change the default password on the device. Most devices come with some default password (like login ‘admin,’ password ‘admin,’ or something like that). Enormous numbers of devices are vulnerable just because of these default passwords,” Sullivan wrote.
“It’s generally a good idea to change the passwords from time to time, and it’s really important to pick a strong password. A strong password has a mixture of letters, numbers, and special symbols, and it’s long. Length is more important than anything else, because brute-force attacks work faster against shorter passwords.”
How do you keep track of all that? I tape a note with passwords on the outside of my router, because hackers aren’t going to break into my house, but Sullivan is more sophisticated.
“Use a password manager of some kind to keep these complicated passwords – you’re not going to be logging in all the time, so you won’t remember the password. Don’t re-use the same password over and over again, because if you do that means that if the password gets out from one system, all the other ones are compromised too.”
Updates
“It’s hard to do this, but keep up to date on security patches for the devices. Better still, choose devices that automatically keep themselves up to date. And if the vendor goes out of business – that has happened a lot with IoT devices – consider replacing the device with something from another vendor. Vendors that are out of business don’t provide security patches.”
That last comment leads to the big problem. Just as with the internet as a whole, security was not part of the initial design of the IoT, and we’re paying the price.
After the Dyn attack, for example, a Chinese firm called XiongMai Technologies recalled many thousands of its cameras and DVRs that were full of malware because of bad security – not only were they shipped with an easy-to-guess password, but the password couldn’t even be changed by users.
Lousy design, but I’ll bet the devices were cheap, which is why so many people bought them.
Finally, I asked Sullivan how to tell whether we’re contributing to the problem – that is, whether our devices are already infected.
“Most home routers will tell you something about the traffic they’re handling, so you can watch that. If there is a spike in traffic, you might have an indicator of something,” he wrote. “If you do figure out that your device is part of a problem, turn it off. Of course, that’s hard to do if it’s a light bulb or light switch or something of that sort.”
“Realistically,” he added, “most people aren’t going to monitor their network this way, and I think we have to be aware of that and make the devices more secure by default.”
Bingo. If security doesn’t make a difference to customers – we can’t tell if it’s there and it doesn’t affect performance from our point of view – then it’s futile to expect people to take much time improving it. Nor will we use it to make buying decisions, which mean market forces alone won’t improve IoT security.
The only way IoT is going to become less of a dumpster fire is if governments step in with regulations and requirements for more secure devices.
That is becoming the reluctant conclusion of many in the online community – a group that hates governments and regulation.
Consider Hiawatha Bray, the Boston Globe’s longtime technology writer (and the man with the coolest byline in New England, with the possible exception of Tux Turkel at the Portland Press Herald), who penned a piece lat week called “Is it time to lay down the law about cybersecurity?”
“I don’t much care for internet regulation,” he wrote. “But I’m hoping the mere suggestion of it throws a scare into some very smart engineers who will devise a far less intrusive way to protect us from internet attacks. Otherwise, our security woes will become so severe that we’ll demand help from anyone, even Uncle Sam.”
(David Brooks can be reached at 369-3313, dbrooks@cmonitor.com or on Twitter @GraniteGeek.)