Shopping Product Reviews

The IoT and the day the internet died, almost

A little over a week ago, the Internet almost died.

Starting Thursday, October 20, much of the US and parts of Western Europe experienced a massive blackout. Some of the world’s most popular and most used websites went silent. Poor Donald Trump couldn’t tweet for a few hours.

And it was all because of cheap webcams and DVD players… maybe even one of your own.

make connections

To understand how this happened, you need to understand how Internet of Things (IoT) devices work.

If you are reading this, you have an Internet connection. To make that connection, your computer or smartphone must have three things:

  • A piece of hardware designed to connect to the Internet via a cable or wirelessly

  • Software to run that hardware, containing your unique Internet “IP” address

  • A way to differentiate between authorized and unauthorized connections

The last requirement is usually met by a username and password to connect to your Internet Service Provider. But it is also possible for other devices to remotely connect to your computer over the Internet – “incoming connections”. Some of them are good (eg incoming Skype calls) and some are bad (hackers). Having passwords for IoT devices accomplishes the same thing, but only if they are strong passwords

The technology industry has worked hard to develop common techniques to identify and stop unwanted incoming connections to computers. Operating systems are constantly updated to deal with the latest threats. Specialized companies do nothing more than keep an eye out for viruses, bots, malware, and other dangers and design software to combat them. Guys like me write about how to maintain good digital hygiene. That is why we have far fewer virus outbreaks than before.

When it comes to internet connections, IoT hardware has pretty much the same setup. But there are three big differences.

One is that username and password settings can be difficult to change, even hard-wired by the manufacturer, as appears to have been the case with devices that contributed to the recent internet outage.

Another is that IoT devices are always on and rarely monitored. Unlike a computer, they could be infected and you would never know it.

Above all, there is no collective effort to monitor and prevent hacking of IoT devices. Nobody sends out general security updates like an antivirus service from McAfee or Norton. They can not, since IoT devices are all different. There is no common language or protocol that can address threats to all IoT devices at once.

Instead, it is up to the manufacturer of each IoT device to protect the device and update its “firmware” when threats are known.

We tried that approach with computers… and it didn’t work.

How this led to last week’s blackout

In the recent outage, IoT hardware made by a Chinese manufacturer, including the cheap home security web cameras you see advertised at Home Depot, was hacked by someone using software called Mirai. It searches the internet for IoT devices that use default passwords or simple passwords, infects them, and then assembles them into a “botnet,” a collection of devices that can be made to do the hacker’s bidding.

In this case, they instructed IoT devices to send “tens of millions” of connection requests to the servers of a US company that provides crucial Internet routing information. Overwhelmed, the company’s servers crashed… and with it, the web pages of sites like Twitter, Facebook, The New York Times and others.

This was possible because the software running the Chinese IoT hardware used a single hardwired username and password to all of them – which cannot be changed by the user. Once the hackers got the username and password, it was easy to program them to do what they did.

Roland Dobbins, principal engineer at Internet security company Arbor Networks, blames this on manufacturers not working together to develop a common security approach for IoT. Instead, each company follows its own designs and ignores the painful experience of the PC industry in this regard.

“I’m not worried about the future; I’m worried about the past,” he said recently. “If I could wave a magic wand, I would wave it so that there are no unsecured embedded devices out there. We still have a big problem; we still have tens of millions of these devices out there.”

Do not disconnect from the IoT

Does this mean that the positive predictions about the IoT are off the mark?

You are welcome.

First, companies like Samsung, which plans to make all their products connected to the Internet soon, they now have an incentive to develop ways to combat this. Otherwise we will not buy your products.

Second, consumers will not tolerate a situation like the old war between Betamax and VCR: competing approaches to a common need. The IoT is a platform, like the Internet itself, and everyone needs to be on it. Manufacturers will sit down and come up with common protocols to secure IoT devices, even if they’re kicking and screaming all the time.

Third, the same market forces that produced Norton, McAfee, Kaspersky Lab, and every other security company in the computing space will produce IoT solutions. And there will be money to be made by investing in them, as well as in the IoT itself.

In the meantime, this is my advice. Get IoT devices…but only top of the line. Avoid cheap, mass-produced brands. Ask vendors about security protocols and whether you can easily set up your own username and password. If not, walk away. They’ll get the image soon enough.

After all, that’s what “market forces” are like. supposed work.

Leave a Reply

Your email address will not be published. Required fields are marked *