Friday’s attack against US computer infrastructure using a botnet crafted from the Internet of Things (IoT) appears to be a shot across the bow, demonstrating the power of the hacking team — and those behind that team. Unfortunately I, and many of us, may have unwittingly played a role in the attack. Our computer devices may have been used to send the signals that overwhelmed the computer servers on Friday.
The IoT attack was not unanticipated by many of us. In June 2015 some of us began unclassified discussions with personnel from a major university about the IoT problem. Everything from cars and refrigerators to medical devices are being “computerized” with IoT software and firmware. We foresaw serious security problems in this.
For the most part there is no security screen on IoT devices, allowing hackers easy entry to them. We recognized that any of us could inadvertently be part of the problem because we had no way to prevent IoT devices we already have, and those we will acquire in the future, from being infected with malware. Earlier this year there was some public recognition of one part of the IoT problem when it became known that a medical device had virtually no protection and, in certain circumstances, had the potential of being manipulated to kill the patient using it. There have been reports and claims of IoT threats to cars (potential to affect braking, speed, steering, etc.) There have been claims about the ability to affect control of commercial airliners through attacks against on-board entertainment systems.
IoT security is virtually non-existent at present and is unlikely to be effective even in the future because A) there is no totally effective anti-virus/anti-malware system available for or designed for IoT devices, B) security is not legally required and manufacturers won’t spend money they are do not have to, C) IoT security would not only be more expensive, in some cases it would interfere with the working of the IoT device, D) retrofitting devices and systems already in use would be improbable if not impossible, and E) IoT security would generally have to be configured when the device was brought on-line, and most people wouldn’t take the time or expend the effort — even if they were capable of doing so.
There are some indications, from the size, severity, and markers of the attack, that this could have been a state-sponsored effort. However it appears that only a small part, perhaps as low as 10 percent, of the available capability was used. There is a possibility this may have been a shot across the bow rather than an all-out attack
From the discussions that started in June of 2014 I am not confident that we have a way of thwarting distributed denial of service attacks such as we saw Friday, or dealing with other attacks carried out through the IoT. These attacks use the very design of the Internet — and us, our cameras, our cars, our refrigerators — for their success.