The Internet of Things: Security Solutions Required, Outside the Box or Otherwise

The Internet of Things (IoT) has arrived and along with its promise comes the potential for misuse. The upside to technology is wonderful and progress should not be slowed down. However, we need an equally prolific force working on solutions for when the downside rears its ugly head. One example of the downside appearing is the attack on Internet security researcher Brian Krebs’ website. If you haven’t heard about the Krebs hack and Akamai Technologies (the company that provided security for Krebs website) then I encourage you to look it up, plenty has been written about it. I won’t retell the story here but instead I wanted to take a closer look at a few topics related to the story and how they point to a much larger problem coming down the road.

When I read about the Krebs hack I encountered the terms bot and botnet. “A system known as a bot, zombie, or drone secretly takes over another Internet-attached computer and then uses that computer to launch or manage attacks that are difficult to trace to the bot’s creator. The bot is typically planted on hundreds or thousands of computers belonging to unsuspecting third parties. The collection of bots is often capable of acting in a coordinated manner; such a collection is referred to as a botnet.” (p. 222–223, William Stallings, Lawrie Brown, Computer Security Principles and Practices 3rd ed., Pearson Education Inc., 2015, 2012, 2008.)

In the Krebs attack a botnet was used to conduct a Distributed Denial of Service (DDoS). Denial of service attacks can bring your system down by flooding it with more requests than it can handle. This hack was different because instead of infecting computers this botnet was composed of tens of thousands of Internet of Things (IoT) devices. The vulnerability of these devices allowed the hackers to easily plant bots and send large volumes of traffic to their target.

Initially, I assumed that making bots must be a task that a small circle of sophisticated hackers could accomplish. However, after some research I found that a little over 60% of web traffic is not human. In addition to bots, this non-human traffic is composed of a variety hacking tools attempting to impersonate people.

It is important to make the distinction that not all bots are built for nefarious purposes. The definition above from Stallings and Brown is made from a security standpoint. If you search for “bots” (even here on Medium) then you will find many articles talking about their use for commercial and other non-destructive purposes. However, if you think about the Krebs hack coupled with the fragmented, highly-incompatible security built into IoT devices, you may think twice about unregulated bot creation. The barrier to entry for bot building is very low. You don’t necessarily have to be technically adept to learn how to make them. As with most things on the internet, there are articles, tutorials, and programs that can help you to build them.

A group of U.S. senators are attempting to address safety concerns by working on a bill to regulate security standards for companies that make Internet of Things devices. However, security is a constantly evolving game where a patch goes out to fix one vulnerability and hackers eventually figure out ways around it. So far, we have focused on bots and denial of service, and some people may read this and point to DDoS mitigation as a solution. However, DDoS is one of many threats that IoT faces. The frequency and variety of hacks discovered by attackers combined with the abundance of vulnerabilities built into IoT devices multiplies the problem greatly. The ongoing struggle between hackers and security gets lopsided if it’s easier for hackers to learn to build destructive tech faster than security experts can learn to safeguard against it. As security evolves, hacks are evolving as well. Legislation is a step in the right direction but it will take a sustained and entrenched effort to keep security ahead of the hackers learning curve.

We were connected with phones and computers but now we are also connected by thermostats, Xboxes, cars, and a growing variety of devices. Companies are racing to ensure that you can control everything from your TV to your doorbell by smartphone. No matter where you are, you are connected and in control. The upside to the Internet of Things is amazing but if we look at the Krebs hack then we must acknowledge how scary the downside can be. The internet is a valuable public resource for all. We can’t treat it like some empty stretch of desert highway where you can do whatever want, because no one is looking. It must be treated like the highly-populated, economically vital road that people depend on. Just like roads, hospitals, schools, food, and water are resources that government helps to protect for the public, the internet must be cared for as well. Legislation and increased education in computer security are part of the solution but something more substantial will eventually be required. Innovation in network security techniques must be supported by the government.

The U.S. Senators working on the bill mentioned earlier, enlisted the help of academics and computer security experts. One possible solution could be the coordination between the government, academics, and computer security experts on a more permanent basis. They could work together under a single agency whose primary expertise and sole responsibility would be to protect networked systems that are vital to health, safety, business, government, and other essential sectors. They could also coordinate on developing protocols, policies, technical infrastructure, reduce vulnerabilities, enforce safety standards, and begin a proactive effort to monitor the creation and use of non-human web traffic.

I understand that our current state of politics is not ideal for the formation of such an agency, but it doesn’t hurt to start discussing potential solutions. We need all solutions on deck, outside the box or otherwise. We need expert minds gathering together, looking at the problems, and coordinating solutions. As our technology becomes more connected, we must become more coordinated in our efforts to prevent the stealing from, corrupting, or shutting down of essential networked systems. Hopefully this article gives readers a place to start thinking about internet security and the larger world. We do not need to be scared of progress, we can embrace the upside of change as long as we are just as determined to develop solutions for the downside as well.