When Things Attack! – The hacking game has changed

As I started writing this blog, I happened to be watching an episode from the new season of Black Mirror on Netflix. Black Mirror is a SciFi anthology series, ala the Twilight Zone, although with a much darker perspective on both humanity and technology. I found the episode, ‘Most Hated in the Nation’ somewhat apropos to my topic. The episode follows a police detective investigating the apparent murder of a columnist. This individual had been deluged with social media hate diatribes that would seem familiar to many. As the investigation continues, more mysterious deaths occur, with the victims all being targets of similar social media anger. Meanwhile, in the background, there are various news stories and visual cuts to ADI’s, Autonomic Drone Insects. These tiny bee-like drones are being deployed throughout the country to replace the dying bee population, allowing for the continued pollinizing of crops.

Bee Anthidium sp.-in a dangerous position

Spoiler alert! As you can probably guess, it turns out someone was able to hack into the ADI’s to pervert their actual purpose. The drones were killing the individuals in rather gruesome fashion and the killer was using the social media hate to target his victims. There was the obligatory arguments from the manufacturers that the ADI’s could not be hacked….pause for effect….except for the back doors the government forced them to put in so the drones could be used for surveillance. Then enter the standard disgruntled employee who leveraged the back doors to make a very public and violent social statement about spewing hate in social media without consequences. (As I mentioned, Black Mirror takes a very dark view on both humanity and technology in most of their episodes). The killer hacked millions of small intelligent devices, and turned them into weapons.

 The recent Internet outage, a new kind of attack

On Friday morning, October 21, the first of several DDoS (Distributed Denial of Service) attacks on the core DNS infrastructure of the Internet on the East coast. This attack caused significant outages for major internet sites such as Twitter, Spotify, Reddit, and Amazon. I was working remotely for a client and felt the impact directly. The client provides consultants access to their internal environments via Amazon Workspace. On Friday morning, we could not get access to that environment while the attack was occurring, which as you can imagine, made for a very frustrating day.

DDoS attacks are not a new phenomenon. However, there were several key things that made this one a little different:

  • Most DDoS target a specific website or company. This one targeted a key part of the internet infrastructure, DNS, provided by a particular vendor, Dyn. This resulted in it having much broader reach and impact.
  • Dyn described the attack as a “very sophisticated and complex attack.” As Dyn took mitigation steps against the attack, it would change, and adapt, making their efforts to respond much more difficult. They would start blocking the attack from one area, and very shortly, new IP addresses from a completely different part of the world would start attacking.
  • The attack was coming from tens of millions of discreet IP addresses from around the world. In the past, these kind of attacks came from hijacked computers and laptops that had been infected with malware. This attack went further. Besides the same hijacked computers, this attack also used infected ‘Things’ from the Internet of Things. Devices like DVR’s, webcams, baby monitors, home routers.

Mr. President, they are using our own devices against us

Okay, I admit, a little corny, but the point is a valid one (bonus points if you can identify the movie I am paraphrasing).  The Internet of Things (IoT) is growing at astronomical rates. Gartner predicts that by the end of this year, there will be over 6.4 billion ‘things’ on the Internet, up 30% from last year. They estimate we are currently adding 5.5 million devices every day. A common topic of discussion and concern in the IoT space is security. As those that frequently read my articles know, this is a topic near and dear to my heart, quite literally. I have a pacemaker and insertable cardiac monitor in my chest (see my recent blog, ‘Musings on the Internet of Things – I am now a Thing’).  Whenever the words IoT and Security show up in my newsfeed, I pay attention.

Most often when discussing security concerns related to the Internet of Things, the conversation tends to focus on 2 aspects:

  • The increased attack surface: All of these devices extend the attack surface of networks, providing more potential entrée points into a corporate network.
  • The potential lack of solid security implementation in these devices. Many devices still ship with standard default username/passwords, and sadly, many users never bother changing them (see my blog ‘Hacking and the Internet of Things’ for some detailed descriptions of this).

This attack takes the first item of concern, attack surface, and completely flips it on its head. Instead of worrying about the devices acting as an entrée point to access data, we now have to worry about the devices being an actual tool and weapon in the attacks themselves. While not going to the extreme level of the Black Mirror episode I mentioned at the beginning, the hackers have started weaponizing our Things on the Internet. They are using them against us. The hackers are able to accomplish this in large part due to the 2nd item of concern I mentioned. The lack of security implementations on many devices is a continuing struggle in the world of the Internet of Things.  Balancing consumer ease of use with security is like walking a tightrope over a tank full of hungry sharks. Striking that balance is never easy.

No, the Things are not going to destroy civilization as we know it

This is not meant to be a doomsday prophesy. I do not subscribe to the dark view of humanity and technology displayed in Black Mirror. The Internet of Things, like any disruptive technology, has the ability to turn our viewpoints and paradigms on their heads. Last week’s attack is a prime example of that. Given the raw numbers, the Internet of Things genie is out of the bottle, and there is no putting it back in. No technology negates the need for good design and planning. Those designs and plans must always include security as a key area of focus.

As technologists, we need to look at security from a different perspective. We have to think about the potential hackers differently. In the old paradigm, it was simple: protect the data, protect the boundaries of the data centers. That is still valid and needs to be done. But in addition, we need to look at through the lens of disruptive technologies. Working with vendors to implement stronger security measures on their devices. Work with educating end users of their use of these devices, ensuring they do not compromise them in the name of ease of use. We also need to look at other new disruptive technologies that could help in this battle. For example, machine learning is starting to be looked at as a tool that might help identify and respond to a security breach, adapting to changing attack patterns.

Ultimately, security in the world of technology is always a delicate balancing act between access, usability, and protection. It is critical to understand the risks, work with the business to educate them on the balance/tradoffs, and take the appropriate measures to ensure the proper balance is maintained. Oh, and if you hear a bee buzzing near your head, ignore it, I am sure its nothing.