Toasters and Fridges on the Attack
That's the apocalyptic headline we could be reading one day, given the seemingly unassailable trend toward connecting mundane items to the internet. Don't think it's too far-fetched, either.
More than $970 billion is expected to be spent on Internet of Things devices next year, according to data from Bloomberg Intelligence and IDC. It's no mistake that "things" is the chosen noun to describe every and any gadget that can be connected to a network. Few other words encompass the vastness, and "stuff" just isn't elegant.
As we saw last week, though, connecting things to the internet also creates the potential for huge networks of robots, aka botnets, to be turned into drone armies for anyone with the software tools to take over enough devices. One such tool is called Mirai, a strain of malicious software (malware) that was not only deployed with cunning effectiveness last month to bring down the website of renowned security researcher and journalist Brian Krebs, but was released into the wild for anyone to copy and adapt for his or her own use. And that's exactly what happened in Friday's attack.
While the prevalence of flying drones has created a fear that airborne toys could be weaponized, the sheer number of internet-connected devices and the lack of security built into them shows the bigger threat is that almost any object can be turned into a cyber drone. According to Krebs and security firm Flashpoint, the most recent attacks can mostly be traced back to components for digital video recorders and internet-connected cameras supplied by Chinese company XiongMai Technology.
I couldn't tell you whether XiongMai really is at the heart of the vulnerability, but the fact that researchers could trace infected components back to one hardware supplier is a feat of cyber epidemiology that raises an interesting moral and legal dilemma: What responsibility do suppliers have to secure their devices?
A little-known case in the U.S. earlier this year helps solve that question. The Federal Trade Commission sued Taiwan's Asustek for leaving consumer routers and cloud services vulnerable. Because of this poor security, hackers could (and did) commandeer users' web traffic. I know, because I was one such victim. Asustek eventually settled the case and agreed to tighten security and be subjected to audits for 20 years.
Suing individual companies for specific weaknesses looks a bit like fighting a forest fire with a water pistol, but it's better than nothing and at least lets device makers know of their moral responsibility. Even better would be the implementation of global IoT security standards in the same way that technology specifications are in force for the likes of Bluetooth and WiFi. That would help deal with the problem of numerous differing device types and systems that fall under the IoT umbrella.
Already the European Union has got to work on the issue, drafting rules for IoT hacking-defense norms and labeling modeled on the way energy efficiency is rated for household appliances.
Improved standards can't come soon enough. While hacks could turn devices such as cameras, fridges and toasters into cyber drones, keep in mind that many airborne drones are also a form of IoT. Now imagine if those got hacked, en masse.
This column does not necessarily reflect the opinion of Bloomberg LP and its owners.
To contact the author of this story:
Tim Culpan in Taipei at firstname.lastname@example.org
To contact the editor responsible for this story:
Matthew Brooker at email@example.com