“The Internet of Things” (IoT) is a term coined in 1999 to describe the vast array of connected devices like refrigerators, blenders, cars, cameras, light bulbs, thermostats, pacemakers, and yes, even Barbie.
Smart objects as a whole have been valued as a $19 trillion industry with billions of individual objects being connected to the internet at any given moment. While these numbers may lead one to believe that security would be a key element of these products – after all, no one wants their car’s steering ability stolen mid-commute – the hack that brought down internet infrastructure company Dyn (and subsequently the service it provided to sites like Twitter, Spotify, Netflix, PayPal, The New York Times, and The Wall Street Journal) demonstrates how the power of the many lies in the weakness of the one.
Denial of Service
One of the most basic (but most difficult to defend against) of all cyber-attacks is the Distributed Denial of Service (DDoS) attack:
Imagine Game 7 of the World Series this year and the series is tied. The gates open up and tens of thousands of fans rush to get their seats. One problem though, only two ticketers are working the gates. The mass of people pile up against the gates, tightly shuffling forward and pressing the funnel to the entry more and more by the second. The crowd spills over to block even the exit gates. As people trickle through the entry, everything but the two people at a time having their tickets checked are at a standstill.
This is a denial of service attack.
When people refer to “breaking the Internet,” or a website temporarily going offline due to extremely high volumes of traffic, they are in effect referring to a DDoS attack, only without the malicious intent. Servers, after all, are computers, and can become overloaded and freeze when too much is going on. In a DDoS attack, a network of computers potentially spread across the globe (this is where “distributed” comes into play) make repeated connection attempts as fast as they can, all at once, to one specific server, with the hope of overloading their target and taking it offline. The obvious solution would be to block incoming connections from the attackers, right?
But what if there were… millions?
Dyn, a New Hampshire based internet infrastructure company, provides a service most of us use on a daily basis without realizing it. Like every other DNS backbone around the world, Dyn sits between you and all of the websites you visit every day, directing you to your destination by matching what you type in your browser (“neep.org”) to its corresponding IP address (“220.127.116.11”). Also like every other piece of the internet infrastructure, it is a computer (or really, a data center full of interconnected computers), and can be overloaded, frozen, and crashed.
Cyber Barbie is Now Part of the Kill Chain
On Friday, October 21, 2016, tens of millions of infected objects, from security cameras to power outlets to Barbie dolls, even objects in your own home, began their attack on Dyn’s datacenter. In waves, and from around the world, the sophisticated attack flooded the pipeline that provides the east coast and Western Europe access to the internet and successfully, although intermittently, took offline access to some of the most visited websites in the world. By day’s end, the west coast had been affected as well. But the question remains: how did these things become infected in the first place?
With more and more of our daily interactions being with smart objects, it’s easy to see the cause. We are largely a “set it and forget it” culture. Facing severe operator fatigue, we are more prone to think “if it works, don’t fix it.” Once our devices are on and functioning, the rest of the instructions, like say, changing the default factory password, get skipped.
Additionally, the innocuous nature of many of these devices doesn’t quite warrant concern. My fridge doesn’t know my SSN, why does it need to be secure? Malware Barbie still can’t walk on her own yet, so no sweat. The reality is that anything that can be connected to the internet (and even those that aren’t) can be hacked, and used for unintended purposes. That, in itself, is the necessity for security.
As a consumer, are you spending your money on a smart home, or a smart weapon?
Manufacturers surely take security into account when building their products, but consumers can also make informed buying decisions that can help them avoid these kinds of security breaches altogether. While many smart objects work over WiFi, many more still, including door locks, alarm systems, lightbulbs, and temperature controls, utilize Bluetooth technology. If a cloud-based service, such as Nest, fell victim to a DDOS, your home system may become unreachable altogether. Bluetooth, unlike WiFi, uses short-range wireless transmissions directly from device to device, eliminating the need for a router (that could be connected to the Internet) to pair the two. This essentially takes the connection “off the grid” – and takes an extra device out of the equation – decreasing the probability that an object in the chain could be compromised. Additionally, devices operating independently of the Internet will remain intact, whether infrastructure companies like Dyn are being attacked or not.
This is just one solution of many, but solution(s) must be sought nonetheless by both consumers and manufacturers. After all, a smart home will only ever be as smart as the products within it. And while it still may be easier for someone to pick your manual lock than hack your smart device, hackers will never stop looking for vulnerabilities. As we move into uncharted technological territory, we must be ever vigilant in this smarter, more connected world.
For more information on how smart energy homes are transforming the region, check out our new report.