TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Why securing IoT is a national-security imperative Related reading: What Equifax means for understanding the dangers of OSS

rss_feed
iapp-privacycore
OneTrust_SmartPrivacy_banner_ads_300x250_20170818_
Webcon_PA_300x250_ad_Gigya

Like any other weekday, last Friday I grabbed a cup of coffee and activated my computer to see the latest world news cascade down my Twitter feed. But unlike an average day, Twitter was down. Mild discomfort settled in.

Social media addiction aside, it turns out a huge swath of popular websites — from CNN to Github to Paypal to reddit — were down for users in the eastern part of the U.S. The culprit, as we probably should expect by now, was a massive Distributed Denial of Service attack, and it came in two waves. The second was even more powerful, affecting users on the West Coast as well.

So what’s the lesson we should all learn from this attack? That designing privacy and security into internet-connected devices isn't just about brand or reputation, it's a national security imperative. When major websites — from social networks to video streaming services to news publishers to retailers — go down, it hurts the overall digital economy. Spread such an attack to critical infrastructure, like air traffic control or energy systems, and any country's national security interests hang in the balance. 

As was evidenced last Friday, it’s far too easy for bad actors to access connected devices like webcams and other smart appliances. Default passwords are often “password” or “admin.” When that’s the case, adversaries can easily crawl the internet, access those devices, infect them with malware, and activate their attack at will. The warnings have been there for years, too. In 2014, a website connected to 73,000 unsecured webcams around the world demonstrated how often default passwords remained unchanged. Plus, it appears access to this so-called "army" of hacked devices is for sale, and it's cheap. 

The role IoT played in Friday's attack is not just speculation, either. Chinese electronics manufacturer Hangzhou Xiongmai Technology confirmed weak default passwords in its devices allowed adversaries to infect its webcams and DVRs with a malware known as Mirai. The malware then allowed the attackers to launch Friday's massive DDoS attack, mainly in the U.S. In response, the company has announced it is recalling those devices. "Security issues are a problem facing all mankind," the company said in a statement. 

There is now no doubt, an attack like this could happen anywhere in the world.  

Friday's events lead to a huge takeaway for businesses in the IoT field. If companies do not build in protections to prompt new users to create strong passwords and ensure customers patch security vulnerabilities, they are not only risking brand reputation, regulatory action and the cost it takes to recall thousands of products, they are risking the health of the digital economy and the security of any nation in which such an attack takes place. 

If companies do not build in protections to prompt new users to create strong passwords and ensure customers patch security vulnerabilities, they are not only risking brand reputation, regulatory action and the cost it takes to recall thousands of products, they are risking the health of the digital economy and the security of any nation in which such an attack takes place. 

Sure, last week's attack hurt dozens of companies, but imagine such an attack hitting critical infrastructure. More than money and reputation would be at stake. 

In fact, Friday’s attack did hit what's becoming very critical infrastructure, indeed: Dyn, a major Domain Name Server host. The service it provides is likened to the Yellow Pages. In a nutshell, it helps users connect with their desired websites. By bombarding Dyn’s servers with massive amounts of information requests, the attackers chewed up Dyn's bandwidth, effectively disabling its service several times throughout the day. How much e-commerce didn't happen because of those various downed sites?

DDoS attacks usually require thousands of IP addresses to perpetuate an attack. So a bad actor, in the past, likely would have used a slew of computers infected with malware to accomplish the attack. However, IP addresses are now rapidly expanding beyond the computer screen to all sorts of devices: wearable fitness trackers, smart homes, connected cars, and so on. As IoT embeds itself more deeply into our lives and as companies find more ways to monetize these products and services, bad actors will have more IP addresses to enslave for DDoS attacks.

Late last month, Privacy Tech warned of the dangers of "enslaved IoT armies" after the website of well-known security reporter Brian Krebs was attacked and taken down for days. At the time, it was one of the strongest DDoS attacks ever measured.

The attacks have only gotten stronger in the meantime.

Friday’s outage is a mere inconvenience compared to what could happen if certain other critical infrastructures are affected. If this were to happen during the first Tuesday next month, an already contentious presidential election could be thrown into a whirlwind. 

Move these vulnerabilities onto other critical infrastructures — the energy grid, transportation, the financial marketplace, health care, water distribution — and we’re entering into dangerous territory. Really, we’ve likely entered this perilous territory already and are only just beginning to see some of the realities.

Whether a large nation-state or small cell of criminals, we should realize that IoT security and privacy hygiene is now a public safety issue.

Security guru Bruce Schneier warned us in early September that “someone,” likely a nation-state like Russia or China, is methodically probing the “defenses of the companies that run critical pieces of the Internet.” He also pointed out that the scale of these attacks is steadily growing stronger. Since DDoS attacks are essentially a battle of who has more bandwidth — the attacker or the victim — a cyber arms race ensues.

Whether a large nation-state or small cell of criminals, we should realize that IoT security and privacy hygiene is now a public safety issue. This puts the onus on businesses to build in protections, a means to update security patches for already-purchased devices, and put forth easy-to-understand instructions. If you've been seeking a good argument for getting a bit more budget and staffing for your privacy-by-design efforts, let's hope this can be a prominent arrow in your quiver. 

If not, maybe we truly cannot have nice things. Or Twitter, anyway. 

Top image: Screen shot of Friday's DDoS attack from Level3

1 Comment

If you want to comment on this post, you need to login.

  • comment Sheila Dean • Oct 25, 2016
    I see where Jed is coming from. However,  I think the government has to get its own house in order before they can produce standards that go to civilian applications.  NatSec interests are military, federal and dark state intelligence interests.   
    
    Don't be scared to forgetting so many privacy offensives originate from the NatSec regime, now, against the global web consumer.  Do the forensics disprove government actors weren't involved in some of the bot net network?  If so - we need to know all of that. 
    
    All a consumer should rightfully trust US NatSec with is essentially whatever they can encrypt.  Consumers should not call upon them.  They should protect themselves from them because for all we know they could be the same people involved in the DDoS attack. 
    
    Civic surveillance network security hygiene is TBD.  Federal contractors' business was to sell it to munis, not to protect the Pii of the people governments are surveilling. They are at fault if IoT wireless botnets cross over and violate the Privacy Act en masse. This means any breach victim of a Smart Cities public-private enterprise can rightfully sue: the City, the vendor and the federal government.  
    
    Good luck, DHS.   You should have shored up civic networks when you were sending out purchase orders for traffic cameras, ALPR and biometric scanners.