An Oct. 21 attack on one of the largest domain name system services, Dyn, made headlines for knocking out major websites like Amazon, Twitter, Netflix, Spotify, and major blogs and news sites. Aside from its wide reach, the attack was notable for another reason: it used a botnet built not only of computers but also of hacked smart devices like DVRs, cameras, digital thermostats, and even baby monitors. Ironically, 2016’s Cyber Security Awareness Month was marked by the largest distributed denial-of-service (DDoS) attack yet on Internet sites in the United States and Europe.
The attacked smart devices are part of the growing “Internet of Things”—the embedding of Internet-connected technology and data sharing into everyday objects to make them smarter and more efficient. In our homes, we are seeing Internet-connected devices and sensors in fitness trackers, thermostats, security systems, refrigerators, and more. Smart? Yes. Secure? Sometimes.
The Internet of Things is just the next phase in using cyber means to monitor and operate physical devices. For decades, industry has used computers to connect with communications networks to automate all types of services—everything from delivering electricity to dispensing cash at an ATM. But while most companies work diligently to make their systems and devices secure, most smart consumer devices don’t have the same level of built-in security and consumers frequently ignore even basic security features.
On a much bigger scale, the Internet of Things represents adding smart devices into entire infrastructures and cities: a smart electricity grid that can diagnose and self-repair outages, smart parking sensors that alert cars of free spots, smart building technologies that automatically optimize lighting and HVAC for efficiency, and self-driving cars, to name a few. Devices that can connect to the Internet—and to each other—will be the hallmark of the smart cities, smart buildings, and smart homes of the future.
The attack this month highlighted the key cyber security challenge behind the Internet of Things: every smart device must also be a secure device, or it risks becoming another tool in an attacker’s belt. This is true for smart devices in homes, and especially true for those smart sensors and switches that are now embedding advanced capabilities into the energy, transportation, water, and other critical infrastructures.
Three cyber security challenges will come to the forefront as we head into a “smart” future:
Billions of new smart devices are growing the attack surface. Every device capable of sending or receiving information to/from the Internet—if unsecured—offers another potential avenue of attack. Devices can be compromised and used as part of a botnet to help launch an attack, as they were in this month’s DDoS attack. Or, some smart devices could provide an entry point for an attacker to gain access to a connected system to steal information or manipulate system controls. There is no industry security oversight association and few security standards for many of the smart hardware devices, like routers and DVRs, that were compromised in this month’s attack, reports security blog KrebsonSecurity. Security standards and interoperability is a common challenge across many industries that are building in smart sensors and automation.
Sophisticated tools lower the bar of skills and knowledge a hacker needs. Hackers often share or sell hacking tools, source code, or data on vulnerabilities that make it easier for someone to launch an attack with fewer skills or direct knowledge than in the past. For example, this month’s attack used a malware strain known as Mirai—for which the source code had just been released by the malware creator in September. Mirai can be used to search the Internet for devices that still use factory-default usernames and passwords, and then enlist those devices in DDoS attacks.
Cyber attacks on key infrastructure are increasingly targeted and well-resourced. U.S. government and private infrastructure are seeing more sophisticated attacks on their cyber networks from foreign governments, nation-states, and organized groups, according to the Director of National Intelligence. Often called advanced persistent threats (APT), these actors are more likely to have the sophisticated capabilities, organization, and resources needed to target sensitive networks, such as government networks and power grids. The unprecedented cyber attacks last December that caused outages on the Ukrainian power grid, for example, were synchronized, coordinated, and exhibited “extensive reconnaissance,” according to ICS-CERT.
As Cyber Security Awareness Month comes to a close, we are now three months away from a new Administration that must address these challenges head on over the next four years. It will require close coordination among public and private sector cyber experts and those who own and operate the nation’s most critical computer networks.