19 Jun 2017
It meant a few hours of mere inconvenience for most of the world but catastrophically costly downtime (and bad PR) for some very big brand names.
Scarier still, the three waves of the attack didn't come from malware installed on countless PCs (usually the case in DDoS attacks) but devices like DVRs, security cameras, webcams, modems, baby monitors, web-connected thermostats, coffee makers and fridges.
The official statement from Dyn said 'tens of millions of IP addresses' (the unique identifiers for devices connected to the internet) were involved.
By now you'll be familiar with the term 'the internet of things' (IoT). It refers to machines connected to the internet the same way computers, phones and tablets are.
IoT devices take readings through sensors and perform tasks – often simple ones – and when the data from them is combined, it can make life easier, reveal business insight or help us more efficiently manage the technology we're surrounded by every day.
IoT devices and sensors are everywhere – from scales on freight trains reporting on how cargo shifts to your household broadband modem. And just like your PC or iPad they can be hacked.
" There are major concerns security isn't being sufficiently baked into some very simple IoT tools."
First, it helps to appreciate the scale of the potential problem. Gartner research said a few years back the world would contain 8.4 billion IoT devices this year, up a third on 2016. By 2020, the same report said we'd have 20.4 billion of them.
By the same year, management consulting firm Boston Consulting Group said the world would spend $375bn on IoT alone, over and above normal IT expenditure.
As eager early adopters of technology, Australians are embracing the IoT wholeheartedly, and technology research firm Telstye said Australian homes will contain 300 million IoT devices by 2021, a market worth $US5 billion.
The firm estimates while the average Aussie household contains 13.7 internet connected tools today, it will balloon to 30.7 in 2021, with 14 of those being IoT devices.
All of which makes security a huge priority, and there are major concerns it isn't being sufficiently baked into some very simple tools.
As Destiny Bertucci, spokesperon for IT monitoring and management tools provider SolarWinds says, "for most IoT vendors, security is still taking a back seat to speed to market."
But the message might be slowly getting through. SolarWinds' Speed of IT survey said more than half of all Australian organisations polled thought security was essential to overall network management, which for many includes IoT.
There are already more IoT use cases across more sectors than you can count. If you run an automated manufacturing plant and a single cog or fuse goes out it can stop your entire production line.
Battening down the hatches
Here’s what you can do to protect your IoT devices.
The IoT Alliance Australia has a downloadable Internet of Things Security Guidelines document.
It's European counterpart, the London-based IoT Security Foundation has also published a series of best practices.
IoT sensors attached to individual components or processes can reveal your vulnerable points and warn you when they're about to fail, letting you schedule maintenance.
In mass market retail, IoT warehousing and sales data can give you needle-point accuracy about inventory movements.
Smart meters in homes are letting us plan our power usage to save money and remote medical monitoring lets your doctor keep an eye on you in real time thanks to sensor data about your health.
IoT devices are going to outstrip the traditional tools we use to connect online (PCs, tablets, etc) by orders of magnitude and as the field grows, many experts are warning about how vulnerable it is.
You might be surprised how the Dyn attack was even possible – how can modems or TVs get infected with malware, the same way your computer can by downloading a dodgy email?
The reason is because more and more of our world works on software and even the tools with the simplest functions – picking up and displaying a digital TV transmission, retrieving the correct time to display on a coffee maker, etc – run on rudimentary operating systems.
That means they send and receive data just like your laptop sends an email or downloads the contents of a Facebook page - and if you know how to program in the correct language you can write (or buy) a virus for any IoT device.
Despite the reach of IoT, there's a Wild-West quality about the field with devices rolling off production lines faster than the law can keep up.
At the large industrial end of the scale there's a little more scope for IoT security – a lot of large enterprise cloud services offer more secure infrastructure or dedicated pipes keeping customer data needs separate from the rest of the internet.
Some large technology companies also offer their own platforms upon which to build and deploy IoT fleets. Examples like GE's Predix are essentially IoT operating systems and much like the operating system of your laptop, you can secure them using antivirus software, firewalls and formal policies.
But things at the consumer end are very different, and two themes emerged from October 2016 findings by the Consumer Technology Association (the organisation behind the yearly CES trade show).
First, only half of more than 15,000 respondents to a survey said IoT concerns had stopped them buying a device and only about the same amount said they changed the default login access to devices such as a DSL or cable router– which doesn't even take into account the number of tools making it hard to change the passwords or which have the password permanently hard-coded in.
But there are positive signs we're becoming more educated – or at least worried. University of Washington researchers found parents and even kids expressed privacy concerns about internet-connected toys.
Using similar technology as Siri, which uses voice recognition and machine learning to respond to questions, toys like Hello Barbie and Cognitoys respond to questions by their young owners, but few users or parents realised they were recording kids' voices and storing them in the cloud, a potential legal minefield.
Governments are also showing signs of trying to catch up. During 2015 the US government spent around $US8.8bn in security, with the majority of those funds put into IoT infrastructure and investments like sensors and wireless devices. Australia's own plans to combat IoT cybercrime is the next step in the government's efforts (more below).
You're driving to a client meeting when your smart car realises one of your brake pads is a bit worn. It checks your GPS coordinates to figure out where you are and checks review websites for the best mechanics in your area.
It also checks your calendar to see if you have any appointments later on. If not, it connects with the online platform to invite local brake specialists to bid for the job, finding the best candidate who has an appointment when you're available, and makes the booking.
It's entered automatically into the workshop's scheduling and billing systems and sends you a text or email to tell you about the appointment, all done behind the scenes in the Internet of Things with no human involvement whatsoever.
Sensors and software agents have reported on readings and communicated across platforms and your worn brakes are on their way to being fixed before you even know they were a problem.
Lecture some consumers about IoT security and they'll roll their eyes. Home security cameras and modems will likely never store our credit card numbers, after all, and surely manufacturers build in safeguards to stop a hacker taking control of our smart car, sending it careening into oncoming traffic?
Jason Humphrey is ANZ’s head of retail risk. He talks about an obscure example he came up against where one of ANZ's credit partners worked with a manufacturer of refrigerators under a new partnership.
"If someone hacked into the network that operates the internet capability of the fridge, details like when you may be at home, on holiday or are about to go on holiday might be found," he says.
To Humphrey, one of the lynchpins of IoT security is you're only as strong as your weakest link.
"Thinking of each connected device as independent of your home network creates this issue," he says. "If someone can access my connected fan settings they can access my wi-fi network, so they can access my laptop and other connected devices which have personal details stored on them."
And if the above isn't enough to scare you, how would you like to come home after a hard day's work looking forward to a relaxing evening on the lounge to find your TV had been frozen by ransomware, as the family member of one Twitter user was horrified to discover
The trick is to think of every device in your home or office which connects to a service online in the same way as your laptop or phone.
"[They're] no different," Humphrey agrees. "The least expected device which may not be protected creates a backdoor that enables open access to all your details – the difference is that manufacturers such as phone and computing are more seasoned in dealing with hacking."
All of which begs the question of how prepared device manufacturers are. We asked US modem manufacturer Arris how it secures its consumer devices and a spokesperson said not only do all devices are manufactured to OWASP 10 standards but the company 'regularly and proactively monitors our device portfolio to discover and address potential vulnerabilities, including malware attack vulnerabilities'.
But even though we might feel safe with devices made by big company names, many internet-connected tools are outsourced or manufactured in regions where cybersecurity might not have as much oversight or have much of a regulatory framework. And as we've already seen, IoT is a huge and growing industry.
Aside from the potential for malware, identity theft and all the scary stuff cybersecurity experts are always warning us about, it seems we can never be sure what the manufacturer of our devices is doing with the information they generate – unless we have lawyers go through those endless T&Cs before we click 'agree'.
The Guardian's Rise of the Machines makes the case while IoT might be all about convenience and interconnectedness, we shouldn't be so naïve as to think it exists solely to improve our lives rather than corporate profit.
As the story says about a new, easy-purchase IoT device offered by ecommerce giant Amazon; “It is an asset, and you can be sure Amazon will exploit it in every way its terms and conditions permit – including by using it to develop behavioural models which map our desires in high resolution, so as to target them with even greater efficiency in the future.”
In many cases, users have no idea about the data their devices even generate, let alone the fact it can be transmitted across the internet and potentially hijacked.
But even if we ensure IoT devices are manufactured with cybersecurity safeguards from now on, there are already billions of routers, Hello Barbie toys and remote home control tools from vendors like Nest (nest.com).
Just days before the October 2016 takedown of backbone provider Dyn, research warned half a million IoT devices were vulnerable to botnets like the notorious Mirai which has CISO's sweating bullets.
"Manufacturers of connected devices should be providing the means to upgrade software and firmware regularly," Destiny Bertucci of SolarWinds says. "Also they should ensure security is built in from the outset to combat new security vulnerabilities, and users should make sure they're actioning them."
In a world where IoT devices and their flaws already surround us, the only resource disgruntled consumers might have available to them will be the law.
Paul Gordon, senior associate of Adelaide firm NDA Law, specialises in technology cases, and to him, it will take 'significant backlash' before anything changes.
"The laws will need to change not only to be more protective of individual privacy, but also to raise the expectations on manufacturers and operators of new technologies to be more mindful of regulations," he says.
But to Robin Schmitt, Australian GM of Neustar, a provider of real time information services, the only possible way is up.
"As IoT evolves, collaborating openly and adopting standards and certifications will strengthen the industry as a whole," he says.
Schmitt points to the EU's developing framework for better regulation of connected devices, including the drafting of legislation around the time of the Dyn DDoS attack.
"[It] would include a certification system notifying consumers of the level of security of their device," he says."
And while the National Plan to fight Cybercrime adopted by the Australian government doesn't mention IoT devices specifically, Schmitt says it's been listed as one of the next priorities in the government's cybersecurity strategy.
All of which isn't to say there aren't already standards and credentials the industry itself is touting. The enterprise arm of US mobile provider Verizon has a service offering security credentials between users and products, one which provides a standard making the tracking of and fixing vulnerabilities easier.
But in the absence of any formal framework which applies to your industry, Bertucci of SolarWinds thinks we should approach IoT with the same policy-based approach we would any security risk.
"Policies and procedures need to be strategised now, before the first device even enters the door," she says. "In fact it's likely the first connected device is already in the organisation and the IT team just doesn't know about it yet."
Drew Turney is a freelance technology journalist
The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.
19 Jun 2017
20 Jun 2017
10 May 2017