Over the past two weeks, hackers launched two of the biggest digital attacks in Internet history, targeting a French Internet provider and one of the foremost computer-security journalists in the United States.
What’s perhaps more unusual is not the size of the attacks, but their source: Internet-connected cameras and digital video recorders like those in home and office security systems.
Cyber-criminals hacked into thousands of these devices around the world and used them to bombard analyst Brian Krebs and the French company OVH with trillions of bits of meaningless data. The attack was severe enough to temporarily shut down Krebs’s website.
The attacks raise questions about the security of the much-vaunted Internet of Things (IoT), in which everyday objects from home appliances to door locks, cars, and digital video recorders are connected over a network and can be controlled remotely. The research firm Gartner Inc. estimates there are about 6.4 billion IoT devices in the world, with many many more on the way—20.8 billion by 2020. Internet security analysts say that many of these devices are just as hackable as our home computers, but much harder to protect from attack.
“It’s already a nightmare,” Krebs said of the state of cyber-security for these Internet-connected devices. “They just keep shipping devices that are insecure by default, and it’s been going on for a long time.”
Most IoT devices offer some measure of security, but usually not enough. For example, many devices require a password to change software settings, but don’t force the user to create one of his own. So many users stick with the default password installed at the factory. They might as well use none at all. The default passwords for hundreds of popular products are published online; hackers can just look them up on Google.
Once in control of the device, the hackers can install malware to steal data from other devices, pump out spam e-mails, or, as in Krebs’s case, crush an Internet site under an avalanche of data.
Last year, Burlington-based data security company Veracode tested 10 such devices. Testers found that eight of the 10 devices had serious security flaws that could allow intruders to seize control.
Consumers are famously ill-equipped to protect their personal computers from malware attacks. But most people know enough to install antivirus software and download the latest security patches. Bruce Schneier, a fellow at the Berkman Klein Center for Internet & Society at Harvard University, said many IoT devices don’t provide a way to update their software, and most people wouldn’t know how anyway.
“We’re moving down the chain to lower-cost embedded devices without upgrade paths, without patch systems, without security teams,” said Schneier, who is also chief technology officer of Resilient, a data security company owned by IBM Corp. “There’s going to be no way to fix this,” said Schneier. “None.”
The Xively business unit of Boston’s LogMeIn Inc. makes software that helps manage the data generated by IoT devices. Ryan Lester, Xively’s director of IoT strategy, said that most IoT device makers put good security features into their products.
But he acknowledged, “for many organizations the race to get an IoT product to market is a fast and furious one and it can be tempting to cut corners – especially in areas that can be complex and time consuming like security.”
Lester said that his company has a set of security standards that all clients must meet. “We have turned a few prospective customers away that did not,” he said.
But Roland Dobbins, principal engineer at computer security company Arbor Networks Inc. of Burlington, said that it’s not enough to rely on the security policies of individual companies. He called for IoT companies to band together and set industrywide policies, to make their products harder to hack.
“Vendors who write code for these devices must be given very, very specific guidance on security standards,” he said. But up to now, the industry’s efforts in this area have mostly been “lip service,” he said.
Even if such standards are drawn up, Dobbins said it might be necessary for the federal government to ensure compliance. “Something’s going to have to change,” Dobbins said, “and it’s just a question of whether industry is going to get its act together or government is going to have to intervene.”