Your smart home could help "bring the internet to its knees," expert says
"I'm home! Now I will fumble for my phone in my bag, open up my Home app, find the light function, switch it on and voila! Illumination. I remember when I used to have to lift my finger and flip the switch. Ha! Losing those 10 seconds is worth feeling like I'm in the future! This is some cutting-edge shit. It's too bad these smart lightbulbs helped take down the internet last week."
Sure, it's fun to use your smartphone like a magic wand to control your house, but what are you willing to sacrifice for this so-called convenience?
The day the web stood still
Last week, a distributed denial of service attack took down Twitter, Reddit, Spotify and oh so much more. The hackers remain at large, but the root of the hack is clear: tens of millions of insecure IoT devices attacked by a massive botnet.
"This could mean everything from camera systems, to power company self-reading meters, to smart lightbulbs," Radware vice president of security solutions Carl Herberger said in an email Monday.
The devices that were vulnerable to hackers during last week's attack were mainly DVRs and security cameras, but any device connected to the internet is a potential target: lightbulbs, webcams, toasters, coffeemakers, thermostats, televisions, shower heads, connected locks — and the list goes on.
Chinese firm Hangzhou XiongMai Technology, the company behind the devices hacked in last week's attack, announced that it will recall some of its U.S. products. It attributed the vulnerability to users not changing the device's default passwords.
"Many of these products from XiongMai and other makers of inexpensive, mass-produced IoT devices are essentially unfixable, and will remain a danger to others unless and until they are completely unplugged from the Internet," security expert Brian Krebs said in a blog post.
Unsecured smart homes are just Trojan horses for hackers
"This is a tipping point that we have expected for a while," Lookout VP of security research Mike Murray said in an email. "Given the number of unsecured, connected devices that are infiltrating our homes and workplaces, this is the first indication in the evolution of size and scale of botnet-type attacks. With 2 billion smartphones in use worldwide, just imagine how major of a force they would be if used for this type of attack. It's a scary, but very real possibility, if the security of these devices is not prioritized."
Following the no-good, very bad day for the web, Scientific American noted that the Internet of Things is growing faster than our ability to defend it.
Senator Mark Warner sent a letter to the Federal Communications Commission, the Federal Trade Commission and the Department of Homeland Security National Cybersecurity and Communications Integration Center on Tuesday, describing insecure IoT devices as "harmful."
"While the internet was not designed with security in mind, its resiliency — which serves as its animating principle — is now being undermined," he wrote.
He warned that the market is saturated with "cheap, insecure devices" and a lack of accountability for their manufacturers.
IEEE Senior Member Kevin Curran said in an email on Wednesday that it is "crucial" that IT departments monitor their networks 24/7 to keep an eye out for any intrusions or unusual activity on the network. He added that we need to place "severe pressure" on IoT manufacturers to make sure devices are secure before they make it into consumer's homes.
"The public will be unaware of the need to update their lightbulbs, so we in the security industry must force the manufacturers to not make it so easy for the hackers to exploit them," Curran said. "As we have seen lately, we can all be at risk from IoT devices, which were thought to be too dumb to cause harm. The opposite is the truth. Unpatched, poorly deployed dumb devices have the power to bring the Internet to its knees."
We need to hold manufacturers accountable
Associate Dean of the School of Engineering and Computing Sciences at the New York Institute of Technology and IEEE member Babak Beheshti believes adoption of connected devices that can make our lives more convenient is inevitable.
"The concept of keeping our homes dumb is equivalent to rejecting the banking system and keep our money under our mattresses," Beheshti said in an email.
He noted that the recent DDoS attacks show us why consumers need to better understand their connected devices. He cites changing factory default user IDs and passwords as an "obvious" way for consumers to offset cyberattacks, as well as researching products that both meet a consumer's needs as well as ensure their privacy and security.
Herberger also sees our connected future as fated.
"It's not really a question of whether to keep your own house dumb, we are very much headed to a connected future regardless of whether individuals want to keep their thermostat as simple as a spin dial," he said in an email on Wednesday.
He said that the devices attacked in last week's hack were "easy targets" because of a lack of proper security protections. The responsibility is not just on end users — it's on the government and manufacturers to regulate.
"Can we secure the internet of things in time to prevent another cyber-attack?" the Guardian asked on Tuesday.
Do you really need all of those "smart" things?
At their current growth rate, we're on track to have upwards of 38 billion IoT devices by 2020. And, as last week's hack revealed, we are sure as hell not prepared to protect all of them.
"There is a new day forming," Herberger said. "IoT is now a major force in the weaponization of DDoS and cybercrime. While every home owner must now protect itself against the potential for this kind of cyberattack attack, this isn't the only IoT vulnerability to keep in mind. 2017 will bring new threats as the IoT expands, challenging organizations and consumers alike to maintain effective security."
Until manufacturers can ensure government agencies and consumers that their connected devices are hack-proof, it's best to dig those dumb devices out of storage. Do you really need to watch YouTube videos on your refrigerator?