Cybersecurity & Standards, Privacy & Data
#IoTFail
On Friday, a sophisticated global army disrupted service to websites like the New York Times, Spotify, and Twitter. The attack wasn’t conducted by an army of trained soldiers, and it didn’t involve marching across foreign borders. Instead, it was conducted by an unwitting digital army, and it was made possible by systematic failures by governments, companies, and consumers to demand better security in our products.
Here’s what happened. A distributed denial of service (DDoS) attack – essentially a flood of digital traffic of epic proportions – swarmed servers owned by Dyn, a company that connects users to websites. The attack was conducted in part by harnessing the growing popularity of internet of things (IoT) devices. The attackers accessed an estimated 10 million devices [Update: 100k devices] using default usernames and passwords that were published online, but still used by Chinese device manufacturer Hangzhou Xiongmai. Then, the attackers changed the default passwords and updated software on the devices with malware, creating a digital army of devices that could respond to their command. The attack overwhelmed Dyn’s servers with millions of malicious requests from IP addresses generated by the comprised IoT devices, and the company’s technology was unable to keep up or to separate legitimate traffic from the stream.
Friday’s events are a clear harbinger for the scope and complexity of attacks that we will see in the future
This is not the first time this kind of attack has happened, but Friday’s events are a clear harbinger for the scope and complexity of attacks that we will see in the future, especially when pointed at centralized infrastructure that can take down many sites at once. Only 10% of the compromised devices in the Mirai botnet were used on Friday, and even that was enough to inflict serious disruption across the internet. The DDoS attack was the result of failures in the private sector, the government, and even by the public. Understanding these failures is a critical to mitigating the risk of another similar attack.
Private industry
From using outdated software and stock passwords, to abdicating their responsibility to provide security patches for their products, companies are both the problem and the solution. Hangzhou Xiongmai ‘s attempt to blame users for not changing their default passwords exemplifies the finger-pointing that occurs regularly in the IoT industry. While there may be some merit to consumers becoming more educated about device security, shifting blame from brand to buyer does little to advance protections. It also ignores the reality that the technical know-how to appropriately configure an IoT device rests with industry.
Forward-thinking companies should include policy and contractual requirements that incentivize good practices for the entire vendor ecosystem, such as creating and enforcing standards for privacy and security, offering consumers meaningful transparency, and accepting clear accountability throughout the lifecycle of products, from device manufacturers to end users. We have existing frameworks in industry that are instructive. For example, we might look to the role of government intervention in environmental protection. The Environmental Protection Agency imposes fines on polluters but does not assess civil liability for harm or losses inflicted on others. If manufacturers could be fined even just 5% of the losses of downstream companies as a result of an attack like this, there’s a good chance some of these basic security flaws would be less common.
Along with exciting possibilities for innovation in many sectors, the IoT brings with it new levels of risk and liability.
Government
One reason that companies haven’t addressed these basic security flaws is that they don’t have to. The government plays an important role in balancing consumer protections with advances and market forces, but they have largely turned a blind eye to IoT devices. The Federal Trade Commission has been paying attention to connected devices and will likely launch an investigation into the attack, but they can only do so much with Section 5 authority and limited resources.
Consumers deserve baseline protections for privacy and security that resemble traditional consumer protection. What happens if the company you bought your IoT connected device from decides to stop supporting that device with security updates? Or what if the company goes belly up, as happened with connected home hub Revolv? Does that mean that your refrigerator or thermostat shuts down – not because it’s broken, but because it’s maker decided it was time to move on. The government should set guidelines requiring companies to guarantee that their products will be supported for a certain amount of years and be held accountable if they fail to meet those promises.
Because IoT devices span so many industries, the Food and Drug Administration, Federal Communications Commission, Federal Trade Commission, and the Consumer Product Safety Commission all have a role to play in protecting consumer interests in the universe of connected devices. These agencies should be working together to develop frameworks for holding companies accountable for technical and policy failures.
Public
The owners of the IoT devices that played a role in the DDoS attack on Friday weren’t targets of hacking in a traditional sense—the purpose wasn’t to attain personal information about these individuals. Instead, owners of the IOT devices unwittingly became vectors of hacking against others.
The security flaws in the consumer devices leveraged in this attack were probably too advanced for an average user to repair. But given the lawless landscape of connected devices, we must consider our own obligations as part of a greater, networked community. We are all a part of the same digital ecosystem. What is our collective responsibility when our devices play a role in compromising its basic functionality? At the very least, individuals must demand true and lasting transparency from the makers and sellers of the IoT so that it’s possible to take action to protect our devices and our networks. Companies could work together to create standard-issue, real-time interfaces that give people the information they need – such as the level of protection compared to the highest levels, requests for access to their devices, simple ways to set firewalls and other security measures – to protect their routers, their DVRs, their webcams, and all of the other “things” connected to their networks.
What did we learn?
Along with exciting possibilities for innovation in many sectors, the IoT brings with it new levels of risk and liability. We will not be able to enjoy these positive outcomes without deliberate and careful corrective action to make privacy and security a mandate for private industry, the government, and perhaps even consumers.