“Sing, O Muse, sing of the anger of Akamais.” Okay, I’m no Homer and this is no Odyssey, but we mortals are the victims of a fight we didn’t start and which may last longer than the Trojan War. As I write this, on October 21, the Internet is unevenly available to people, with many major sites being difficult or impossible to reach. Those sites aren’t under attack: some of the Internet’s plumbing is.
A distributed denial of service (DDoS) attack against Dyn took down a hunk of the Internet in America on Friday, starting on the East Coast and then hitting the West, because that company provides one piece of networking glue for many major Internet companies. Dyn is a DNS (domain naming system) host, handling the lookup that happens every time any computer or mobile device anywhere in the world needs to convert a human-readable domain name (like macworld.com) into an Internet numeric address, find the appropriate mail server, or retrieve other domain-related details.
I imagine many of the companies that relied on Dyn may be rethinking having their eggs in the same basket as everyone else. Dyn certainly has a robust, globally distributed, redundant network of servers plus mitigation options—it has to, to have passed scrutiny from all the companies that contract it for service. So it’s even more terrifying that this attack was so effective and so long in duration.
The worst part? As I said at the outset: it’s a war in heaven being fought on ground level, and there’s little we can do as individuals to stop it. It’s happening around and above us, currently fed in large part by all the smart, or Internet-connected, stuff in our homes.
The Internet of cheap crap
The promise of the Internet of Things (IoT) is that everything that does something in your home will have an Internet connection. So your thermostat, security camera, alarm system, television set, DVR, kitchen scale and bathroom scale, refrigerator, and the like will all be sending and receiving data for monitoring, streaming, and control.
Some IoT devices make sense. I upgraded our home alarm system with an Internet-connected panel a few years ago, and was able to get a text from home when I was on the opposite coast, my wife was out, and my mother-in-law, babysitting our kids, set off the alarm. I checked in with my mother-in-law, disabled the alarm from my smartphone, and then called the monitoring company.
But some IoT devices may leave you wondering, what’s the point? Why should, say, my upright freezer have an Internet connection? Turns out, modern automatic defrost freezers have a cycle in which they briefly heat their coils to melt ice off. This happens whenever the freezer’s tiny brain thinks it’s appropriate—which could be in the middle of the day, during a heat wave, with the grid under peak power use. A little Internet smarts could let the freezer negotiate a rebate with your electric company to perform the task later. (No joke: Experiments like this have been underway for years.)
The downside is that most of these “smart” devices are pretty dumb about security. Many ship with default administrative passwords and don’t require you change them. They use UPnP (Universal Plug and Play) to punch through network firewalls for remote access. They use unencrypted connections over the Internet. And they often run outdated, exploit-riddled versions of embedded operating systems and open-source modules for networking access.
This equipment rarely receives software updates, even when it’s sold in large quantities and researchers or security firms find attacks in the wild. Even when updates come out, most owners aren’t aware of them, or lack the sophistication to install them, even if it’s “just” downloading a file, connecting to a Web-based administrative front end, entering a password, and uploading a file. Think how often that process has failed for you, and you’re someone who reads this column.
These devices can be hijacked, and that’s been happening lately on an alarmingly broad basis. Tens of millions to hundreds of millions of IoT devices have had malware installed that allows them to be remotely triggered as part of a “botnet” used in a DDoS. A large portion of those are apparently DVRs and home and business security cameras.
Botnets used to involved hijacked computers. While computer botnots still exist, improved OS security has made them less easy to acquire in large numbers and retain control over. IoT devices have more vulnerabilities, making them easier to subvert, and the kind of behavior they exhibit when running an attack can be entirely invisible to their owners: the attacks flood upstream, not downstream connections, and don’t always interfere with a device’s function or the user’s network. There are also simply fewer computers than other devices, too. Several billion IoT devices already exist worldwide, and it will swell to tens of billions in just a few years.
I spoke to Internet security expert Bruce Schneier a few weeks ago, when journalist Brian Krebs’ site was under one of the largest DDoS attacks ever experienced, and he noted, “The problem is the patching ecosystem requires a certain price point of device to make it viable. We are dropping below that price.” He calls it, “The Internet of Things too cheap to secure.”
Sadly, even when brand-name companies sell products and offer updates, they can still incorporate free or licensed components that have security issues that the equipment makers didn’t test for. The NetUSB debacle in mid-2015 is a good example: a wide-open problem that manufacturers were unaware of and, when notified, didn’t immediately leap to patch. (It’s unclear how many millions of devices with NetUSB built in remain vulnerable.)
There’s no per se defense against this. Neither the U.S. nor any nation that allows the free use of consumer electronics requires security testing, although nearly all have regulations about signal emissions, and most manufacturers voluntarily apply for electrical tests with the Underwriters Laboratories (UL). The Federal Trade Commission (FTC) has urged the industry to step up, but has no teeth to require it.
We have few tools at our disposal, which is why I say it’s a war in heaven. Only larger forces can affect the outcome. Users becoming educated about their equipment and making affirmative changes, such as picking a new password or bumping up a router’s firewall settings doesn’t help if a vulnerable smart device punches through the network to allow remote connections (one of its features, as an IoT device), and has hidden, immutable passwords, as is the case with some.
Internet service and network providers have a game plan written years ago that detail technical changes that would reduce the impact of all DDoS attacks, including those by IoT devices. But these changes are complex, and add cost or reduce network performance. In a competitive world, unless every provider has an obligation, it’s unlikely any will step forward.
Hardware makers could obviously improve their goods, but the IoT comprises mostly cheap equipment as Schneier notes. It’s relatively easy to use free software and inexpensive components with a little bit of custom or licensed software to create Internet-connected video cameras or digital video recorders. It’s much more expensive to perform security testing in advance and ongoing system development and updates.
What’s needed is industry certification of IoT security coupled with manufacturers agreeing to a minimum period of time during which they’ll provide security updates. There’s no way for us to vote with our dollars in favor of that, because no such initiatives exist yet. It could happen if large retailers like Amazon started their own testing programs or worked with industry suppliers and major manufacturers, and only sold directly and allow third parties to sell electronics that met that bar. That isn’t happening yet, either; Amazon reportedly can’t even assure that it’s not allowing its sellers’ to offer counterfeit Apple cables.
If private companies can’t figure out a way to improve security, you can imagine what happens next. Faced with attacks that cripple private and public infrastructure, governments intervene because the market failed. Governments don’t always have a light hand, so it’s not the preferred solution, but companies and entire industries aren’t stepping up to the challenge. The market remains incompetent.
Until some change happens, the thunderbolts will continue to rain down upon the likes of us.