How the Web was Broken by the "Internet of Things"
October 21, 2016: Ordinary internet-connected devices – from security cameras and video recorders to home routers – were used to break a big chunk of the web.
Portions of content on this page have been excerpted from this article by David E. Sanger: "A New Era of Internet Attacks Powered by Everyday Devices." NY TImes, 22 Oct. 2016, http://www.nytimes.com/2016/10/23/us/politics/a-new-era-of- internet-attacks-powered-by-everyday-devices.html
When surveillance cameras began popping up in the 1970s and ’80s, they were welcomed as a crime-fighting tool, then as a way to monitor traffic congestion, factory floors and even baby cribs. But now those cameras — and many other devices that today are connected to the internet — have been commandeered for an entirely different purpose: as a weapon of mass disruption. The internet slowdown that swept the East Coast on Friday [October 21 2016], when many Americans were already jittery about the possibility that hackers could interfere with election systems, offered a glimpse of a new era of vulnerabilities confronting a highly connected society.
Affected areas of Internet disruption on Friday, Oct. 21 2016 (source: Level 3)
The attack on the infrastructure of the internet, which made it all but impossible at times to check Twitter feeds or headlines, was a remarkable reminder about how billions of ordinary web-connected devices — many of them highly insecure — can be turned to vicious purposes.
Remnants of the attack continued to slow some sites [the following day], though the biggest troubles had abated. Still, to the tech community, Friday’s events were as inevitable as an earthquake along the San Andreas fault. A new kind of malicious software exploits a long-known vulnerability in those cameras and other cheap devices that are now joining up to what has become known as the Internet of Things.
What is the Internet of Things?
The "Internet of Things" (or IoT) is a term for everyday objects having network connectivity. It enables you to monitor your house by webcam, listen to music on portable speakers, adjust the lights and unlock the door using an app on your phone. Appliance manufacturers now market refrigerators and washer/dryers that can order food, supplies or repair automatically. When Google and the Detroit automakers get their driverless cars on the road, the internet of things will become your chauffeur.
The risk is that hundreds of thousands, and maybe millions, of those security cameras and other devices have factory-set passwords — often “admin” or “12345” or even, yes, “password” that can be guessed, and then turned into an army of simple robots. In this case, each one was commanded, at a coordinated time, to bombard a small company in Manchester, N.H., called Dyn DNS (the phonebook of all internet addresses) with messages that overloaded its circuits. The issue is that most of the devices have been hooked up to the web over the past few years with little concern for security. Cheap parts, some coming from Chinese suppliers, have weak or no password protections, and it is not obvious how to change those passwords. This is how the hack took place.
1. When manufacturers add connectivity to their products, security is not a prime concern
2. Inadequate security (due to poor design, set up, or both) allows these products to be abused
3. People should buy wisely and only use such devices on a properly secured home or business network