Editorial: The massive U.S. Internet outage demonstrates the dumb power of smart devices
The more we learn about the cyberattack that brought down much of the Internet in the United States last Friday, the more appalling it becomes.
Landing in three waves, the attack temporarily crippled parts of Dynamic Network Services, better known as Dyn, which connects some of the largest Web-based companies with their customers. As a result, Internet users on the East Coast and later across the country were blocked or delayed when trying to use such popular online services as Netflix, eBay, Twitter and PayPal.
Investigators could tell right away that the attack was the work of a botnet — an army of far-flung devices surreptitiously commandeered by hackers and directed to do mischief. In this case, Internet-connected digital video recorders, security cameras, printers and routers were instructed to overwhelm Dyn with data packets requesting information. The volume was so great, Dyn’s servers weren’t able to handle the legitimate requests from Internet users trying to reach Dyn’s customers.
The Dyn attack showed an alarming level of vulnerability in the Internet.
The latest revelation is that the attackers may not have meant to cause the virtual havoc they wrought. Instead, according to researchers at the cyber-security firm Flashpoint, the target appears to have been a single Dyn customer, Sony’s PlayStation Network. But the way they chose to do it was to gum up a core Dyn service that many of its customers relied on.
More alarming is that much of the Internet was brought to its knees by attackers, or even a single person, using malware whose source code is available to any enterprising hacker. Called Mirai, it scans the Internet for devices that it can infect — according to security researcher Brian Krebs, that would include those with user names and passwords that were set by the manufacturer and left unchanged by the purchaser. It then loads software that enables the device to be controlled remotely, although only for limited purposes. The primary use: joining a global swarm of infected devices to flood a site with data packets.
What makes Mirai especially dangerous is the enormous number of Internet-connected devices that it can infect. Dyn says that last week’s assault came from more than 10 million separate devices online, which researchers say probably makes it the largest botnet attack ever. And according to Krebs, many of these devices have factory-set passwords that users could not change even if they wanted to. That makes them that much more vulnerable to being hijacked.
The Dyn attack showed an alarming level of vulnerability in the Internet. And the cause wasn’t lax security at Dyn or the companies that used Dyn’s services. It was poorly designed devices bought by millions of people who became the attackers’ unwitting accomplices.
It’s not that the tech industry was blind to the problem of botnets, which have been around in one form or another for years. But the push to connect all manner of devices to the Internet, whether it be a television set, a thermostat or a door lock, is relatively new (the so-called Internet of Things). It has also gained momentum in a hurry. In a recent letter to federal regulators, U.S. Sen. Mark Warner noted that the number of Internet-connected devices is projected to grow to nearly 40 billion by the end of 2020.
A fundamental problem, as Warner put it in a letter to several regulatory agencies, is that “there is no requirement that devices incorporate even minimal levels of security.” In fact, it’s hard to define what that minimal level might be, given how rapidly new cyber threats emerge and how widely these devices range in capability. Nor is there any agency or association testing Internet-connected coffee makers, baby monitors or smoke alarms to measure how vulnerable they might be to attack, although there is an emerging effort to do so for software.
But as the Dyn attack clearly showed, vulnerabilities aren’t just the manufacturers’ fault. People who attach smart devices to the Internet without changing the default user name and password are just setting those products up to be part of a botnet. They may not care if their webcam becomes part of a zombie army attacking the PlayStation Network. But what if they can’t get into PayPal when they’re trying to buy something they urgently need?
Or worse, what if the attacker isn’t assembling a botnet, but trying to steal sensitive personal information? Hackers have been known to tap into webcam feeds, and even to stream video from a camera without the owner’s knowledge.
If consumers demand more secure products, device makers will produce them. But that demand may not emerge unless the tech industry does a better job telling its customers what to look for. Today, the marketing pitches are all about cool features, convenience and ease of use — not about the manufacturer’s attentiveness to security and its commitment to respond with updates when problems emerge.
Device manufacturers may need to sacrifice some convenience by forcing their customers to change each new device’s user name and password as soon as they connect it to the Internet. And ultimately, they may need to follow the lead of computer software companies and push updates automatically to their connected devices, rather than relying on their customers to install patches dutifully. At the very least, though, they need to make sure that their products can be updated. Policymakers and industry leaders should push device makers to take that step while the memory of the Dyn attack is still fresh.
A cure for the common opinion
Get thought-provoking perspectives with our weekly newsletter.
You may occasionally receive promotional content from the Los Angeles Times.