Understanding the vulnerabilities of the Internet of Things is the first step toward better data security
At approximately 7:10 a.m. EST on Oct. 21, 2016, unidentified hackers executed a large-scale cyberattack against Dyn, a New Hampshire-based company that monitors and routes internet traffic. The distributed denial of service (DDoS) attack—the largest ever of its kind—blocked access to websites such as Twitter, Tumblr, Netflix, Reddit, and Airbnb for internet users on the East Coast. Although no significant damage occurred, the attack was alarming because of the hackers’ modus operandi: They discreetly infected hundreds of thousands of “smart home” devices like internet-connected cameras, baby monitors, and thermostats with malware that hijacked the devices and used them to flood websites with so much junk traffic the sites could no longer accommodate legitimate visitors.
In a world abuzz with excitement about the Internet of Things (IoT), the attack was a blunt reminder that technology poses as many risks as benefits.
“It re-energized the conversation in this country about security,” said Rob Mott, vice president of military and intelligence solutions at Intergraph Government Solutions (now Hexagon US Federal). “People are beginning to understand: The more we rely on the internet, the more power we have—but also the more risk there might be.”
Indeed, the IoT comes bundled with threats as well as opportunities, according to Vint Cerf, vice president and chief internet evangelist at Google. Along with DDoS attacks, Cerf worries about specters like privacy breaches and data theft.
“Let’s suppose you have temperature sensors in a house and an unauthorized person is collecting data from them every five minutes. After six months, that person will have a pretty good idea of how many people live in the house and when they come and go, all of which might be very useful if they were planning to break into your house,” Cerf said.
It’s not just information that’s vulnerable. It’s the devices themselves, which could be hijacked by criminals or terrorists, according to Argonne National Laboratory Senior Scientist Pete Beckman.
“Suppose someone can turn off a hall light in your home. That’s annoying. But if someone can turn off all the lights in a hospital, that’s more than annoying,” he said, suggesting hackers could just as easily hijack connected thermostats to deny Americans heat in their homes, or turn all traffic lights in a city green or red to wreak havoc. “Those are the kinds of quick attacks that could have a really big impact.”
Policymakers have a responsibility to ensure public safety by passing IoT rules and regulations. Security must start, however, with the technology itself, according to Beckman, who said engineers and developers must design IoT products with security in mind. In particular, he advocates using distributed networks to make the IoT more resilient. “We have to build in distributed decision-making and distributed response so a single attack can’t disable an entire network,” he said.
Hardware and software likewise need to be reengineered with less vulnerability, which is a focus at the National Geospatial-Intelligence Agency (NGA), according to Deputy Director for IT Mark Munsell. “[NGA is] looking at new methods of securing our network,” Munsell said. “A lot of our old systems have thousands if not millions of doors into our network. By moving to the cloud, we’re … building a house that only has one door, which we keep a real close eye on.”
NGA is well positioned to protect not only its own network, but also the networks of the nation at large. “Just like we have a role in securing the nation from physical threats, NGA has been asked to help secure the nation from cyber threats,” Munsell continued. “We’ll do this by using our expertise in mapping … to understand the physicality of the world’s networks, then take that up a notch through spatial analysis of devices and actors and activities.”
But the best line of defense in the IoT era might be citizens and consumers.
“All the people who were involved in [the DDoS attack against Dyn] had no idea their baby monitors had been hacked. But then again, they probably didn’t read the instructions to change their default passwords, either,” Barlow said. “As we move forward, there needs to be a cyber-education campaign to inform the public about the risks from technology and how to protect themselves.”