Harbingers of Doom

The ‘Internet of Things  – a network of ‘smart’ digital devices – represents the future. In the context of the IoT, a thing can be a person with a heart monitor implant, a farm animal with a biochip transponder, an automobile that has built-in sensors to alert the driver when tire pressure is low – or any other natural or man-made object that can be assigned an IP address and provided with the ability to transfer data over a network.

If you feel the need for more detail on the IoT, then Dr. John Barrett’s presentation at TEDxCIT on YouTube is a great place to start.

Experts estimate that by 2020, the IOT will consist of almost 50,000,000,000 smart things.

So, the future is bright. Right? Not so fast …

A Distributed Denial of Service (DDoS) is getting lots of things across an internet to ‘talk’ to the same receptor at the same time so that it is overwhelmed with the traffic and thus unable to provide the service intended.

In a ‘this changes everything’ event, Smart things were used in a DDoS attack last week on DNS service provider Dyn using 100,000 infected devices with Mirai-powered botnets being the primary source for Friday’s widespread disruption of the Internet (of People). At its peak, the attack delivered data to Dyn’s servers at 1.2 TeraBytes per second – a rate high enough to download the Library of Congress in 12 seconds.

Matthew Green, an assistant professor at the Johns Hopkins Information Security Institute, tweeted  that:

Today we answered the question ‘what would happen if we connected a vast number of cheap, crummy embedded devices to broadband networks?’

I’m not really sure why we needed to answer that question experimentally, but progress in network security is always good.

Jeff Jarmoc, head of security for global business service Salesforce, tweeted  that internet infrastructure is supposed to be more robust.

“In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters”

To be fair, toasters weren’t part of the threat model when the internet infrastructure was designed.

Within hours of the DDoS , ComputerWorld  and many other tech reports decided that much of the blame lay with Chinese webcams … for having users too dumb to change the factory-set password.

Hangzhou Xiongmai Technology, a vendor behind DVRs and internet-connected cameras, said on Sunday that security vulnerabilities involving weak default passwords in its products were partly to blame.

Almost simultaneously, the Chinese government threatened to sue anybody  or everybody who propagated a message that Chinese technology was the cause of the Internet problems associated with the DDoS.

Before you dismiss all this as ‘just kids having fun’ or ‘too many netflix users’ note that there are some life systems now connected to the internet. You might bet your life – literally – that they were proof against being co-opted into a network and used for harm. As this expert witness report  showed in court proceedings, your life might not be so secure! It’s a 5Mb pdf download so you may not want it all. Here’s a highlight:

By combining this attack and the shock-on-T attack it appears that it would be possible to first disable the therapeutic functions of the ICD and then issue a shock-on-T to trigger ventricular fibrillation in the patient; it is my understanding that this can lead to cardiac arrest, and it also my understanding that in the event of an ICD’s tachy therapy being disabled, the ICD will not delivery therapy to recover from the episode. Based on this understanding, I believe that this chain of exploits could present a life-threatening scenario.

Bottom lines

Joe Weiss, the managing partner at the cybersecurity firm Applied Control Solutions discussing this noted

I can’t speak for anyone else [But] I don’t know that we really understand what the endgame is.

Wikipedia‘s  IoT security article nicely describes the problem inherent in connecting ‘smart’ devices into huge networked ‘bots’.

And toasters can do more that burn bread and take down the Internet as demonstrated in another YouTube video – “How to mod any toaster to control PC games in 3 easy steps” 

Bookmark the permalink.

Comments are closed