The Internet Is Growing Faster Than the Ability to Defend It
Larry Greenemeier Scientific American (October 26, 2016)
With this year's approaching holiday gift season the rapidly
growing "Internet of Things" or IoT-which was exploited to help
shut down parts of the Web this past Friday-is about to get a lot
bigger, and fast. Christmas and Hanukkah wish lists are sure to
be filled with smartwatches, fitness trackers, home-monitoring
cameras and other wi-fi-connected gadgets that connect to the
internet to upload photos, videos and workout details to the
cloud. Unfortunately these devices are also vulnerable to
viruses and other malicious software (malware) that can be used
to turn them into virtual weapons without their owners' consent
or knowledge.
Last week's distributed denial of service (DDoS) attacks-in
which tens of millions of hacked devices were exploited to jam
and take down internet computer servers-is an ominous sign for
the Internet of Things. A DDoS is a cyber attack in which large
numbers of devices are programmed to request access to the same
Web site at the same time, creating data traffic bottlenecks that
cut off access to the site. In this case the still-unknown
attackers used malware known as "Mirai" to hack into devices
whose passwords they could guess, because the owners either could
not or did not change the devices' default passwords.
The IoT is a vast and growing virtual universe that includes
automobiles, medical devices, industrial systems and a growing
number of consumer electronics devices. These include video game
consoles, smart speakers such as the Amazon Echo and connected
thermostats like the Nest, not to mention the smart home hubs and
network routers that connect those devices to the internet and
one another. Technology items have accounted for more than 73
percent of holiday gift spending in the U.S. each year for the
past 15 years, according to the Consumer Technology Association.
This year the CTA expects about 170 million people to buy
presents that contribute to the IoT, and research and consulting
firm Gartner predicts these networks will grow to encompass 50
billion devices worldwide by 2020. With Black Friday less than
one month away it is unlikely makers of these devices will be
able to patch the security flaws that opened the door to last
week's attack.
Before the IoT attack that temporarily paralyzed the internet
across much of the Northeast and other broad patches of the U.S.
last week, there had been hints that such a large assault was
imminent. In September a network, or "botnet," of Mirai-infected
IoT devices launched a DDoS that took down the
KrebsOnSecurity.com Web site run by investigative cybersecurity
journalist Brian Krebs. A few weeks later someone published the
source code for Mirai openly on the Internet for anyone to use.
Within days Mirai was at the heart of last week's attacks against
U.S. Dynamic Network Services, or Dyn, a domain name system
(DNS) service provider. Dyn's computer servers act like an
internet switchboard by translating a Web site address into its
corresponding internet protocol (IP) address. A Web browser
needs that IP address to find and connect to the server hosting
that site's content.
Friday's attacks kept the Sony PlayStation Network, Twitter,
GitHub and Spotify's Web teams busy most of the day but had
little impact on the owners of the devices hijacked to launch the
attacks. Most of the people whose cameras and other digital
devices were involved will never know, said Matthew Cook, a
co-founder of Panopticon Laboratories, a company that specializes
in developing cybersecurity for online games. Cook was speaking
on a panel at a cybersecurity conference in New York City on
Monday.
But consumers will likely start paying more attention when they
realize that someone could spy on them by hacking into their
home's Web cameras, said another conference speaker, Andrew Lee,
CEO of security software maker ESET North America. An attacker
could use a Web camera to learn occupants' daily routines-and
thus know when no one is home-or even to record passwords as they
are typed them into computers or mobile devices, Lee added.
The IoT is expanding faster than device makers' interest in
cybersecurity. In a report released Monday by the National Cyber
Security Alliance and ESET, only half of the 15,527 consumers
surveyed said that concerns about the cybersecurity of an IoT
device have discouraged them from buying one. Slightly more than
half of those surveyed said they own up to three devices-in
addition to their computers and smartphones-that connect to their
home routers, with another 22 percent having between four and 10
additional connected devices. Yet 43 percent of respondents
reported either not having changed their default router passwords
or not being sure if they had. Also, some devices' passwords are
difficult to change and others have permanent passwords coded in.
With little time for makers of connected devices to fix
security problems before the holidays, numerous cybersecurity
researchers recommend consumers at the very least make sure their
home internet routers are protected by a secure password.
VICUG-L is the Visually Impaired Computer User Group List.
Archived on the World Wide Web at
http://listserv.icors.org/archives/vicug-l.html
Signoff: [log in to unmask]
Subscribe: [log in to unmask]
|