The networking of everyday objects is speeding ahead. From toothbrushes to baby monitors, all kinds of gadgets are getting connected to the internet. But the internet of things can be hacked, and botnets made of toasters can take over our machines.
When looking to buy a new home appliance, you normally wouldn’t give much thought to hacker attacks. But the next time you’re shopping, maybe you should keep Andrew McGill’s toaster in mind. McGill is a programmer and journalist; he works for the American magazine The Atlantic and his toaster was recently hacked.
Luckily, it wasn’t McGill’s actual toaster. But it should still give us cause for concern. McGill had simulated a toaster for an experiment—a toaster with an internet connection. He wanted to find out how quickly the gadget would be targeted by hackers. McGill was “fully expecting to wait days—or weeks—to see a hack attempt”, as he wrote in his report for The Atlantic. In fact it took less than an hour. Within the first twelve hours there were a further 300 hacking attempts.
McGill’s experiment is more than just an amusing anecdote. More and more everyday items are connected to the internet. From baby monitors to toothbrushes—all manner of gadgets are becoming “smart”. Experts predict that the market for networked gadgets will soon be worth billions of dollars annually. No wonder, then, that more and more companies are looking for a piece of the action. Internet giants Google and Amazon have brought their own control centres for networked households onto the market. Google Home and Amazon Echo react to spoken instructions from their users via microphones and built-in software assistants.
Even small and medium enterprises assume that in a few years practically all household goods will at least have the option of going online. We can observe the same development with television: there are now hardly any television sets for sale which are not smart.
But in the scramble for the market, security is falling by the wayside. It is becoming more and more clear that networked devices have their vulnerabilities, and 2016 could be a turning point. This past year, the first massive internet attack associated with networked gadgets was made public.
One Friday in October, internet users in the USA faced massive network failures. Big online services like Netflix and Spotify went down, as did sites like Reddit, the New York Times or Wired.
Among the culprits were insecure webcams. Hackers had joined millions of devices together into a botnet. This botnet targeted the DNS provider Dyn. Companies like Dyn are responsible for translating website names into IP addresses, the only way that a browser can call up the required site. Dyn is the internet’s telephone directory—and a weak spot in the global infrastructure.
The company was overwhelmed by a massive wave of nonsense requests, in other words, a classic DDoS attack, which bring servers to their knees by overloading them. For attacks like these, attackers use botnets made up of devices which they have brought under their control. Until now, this generally only meant computers and laptops, not video recorders and webcams.
Experts had already been warning for some time that networked devices could be used for attacks. The IT journalist Brian Krebs experienced this first-hand, when his website was attacked by a botnet made up of surveillance cameras and digital video recorders. The software employed was amateurishly simple, but its effect was devastating.
Warnings are growing louder. “We need to save the internet from the internet of things”, declared IT security expert Bruce Schneier in the technology magazine Motherboard. Schneier issued his call to arms only a few weeks before the massive attacks at the end of October. In hindsight it was almost prophetic.
The problem lies within the networked devices themselves. Or rather, with their manufacturers. Companies construct their products often without any thought of security and maintenance, says Michelle Thorne. Thorne works for the Mozilla Foundation, which is behind the Firefox internet browser. She has written a book together with Peter Bihr about the internet of things, called “Understanding the Connected Home”.
“People buy a fridge, and then at some point they have to update it”, says Thorne. “But the tech companies are not ready to support that or think about long-term maintenance.”
Often, updates are not possible, nor there are provisions for changing the standard password. This was how the attack on Dyn in October 2016 took place: the hackers used surveillance cameras from a Chinese manufacturer, which were running with a known standard password. Not all companies are familiar enough with internet security to properly secure the networked devices they started building. No one knows exactly how many cheap surveillance cameras or video recorders are connected to the internet without proper safeguarding.
There is hope that the recent attacks on the infrastructure of the internet will at least have one positive effect. The problems are now known, the wide-ranging impacts of security flaws have been comprehensively demonstrated. That has brought state regulators onto the scene. The German authority for IT security, the Federal Office for Information Security (BSI) is now calling on manufacturers to do better.
The majority of household goods connected to the internet are “insufficiently protected against cyber attacks when they arrive from the factory and can therefore be easily taken over by attackers and put to criminal use”, warns the BSI. “We therefore require that manufacturers of networked goods improve the security of their products and that, when developing new products, they look not only at the functional and price aspects of the item but also at the necessary security aspects.” Manufacturers should encrypt internet communication and provide updates.
Experts are also discussing ideas for an IT quality seal. Such labelling would inform consumers that products meet certain safety standards. Whether stronger rules are required is still up for debate. And even if they are, it could take some time before they are in place.
It could indeed be that security becomes a sales angle for networked devices. That may be an optimistic scenario, but it is not inconceivable. A similar development led to a change in messenger apps. Only a few years ago, security in chat services was a niche topic, addressed only by a few small providers. Then the giant Whatsapp began encrypting its users’ messages. A major impulse behind this were Edward Snowden’s revelations of widespread of digital communications surveillance.
It is possible that the massive DDoS attack of October 2016 will make people more careful when buying. Manufacturers will be placed under greater pressure to make their networked products more secure. In any case, the market is very diverse: not all companies offering networked devices are necessarily versed in IT security. It is likely that the incident in October was not the last time internet-enabled household goods will play a part in a cyber attack.
“Das Netz – digitalization and Society. English edition” gathers writers, activists, scientists, politicians and entrepreneurs to think about the developments of our digital life. More than 50 contributions reflect on the digital transformation of society. It is available as a free PDF. Download here!