A distributed denial-of-service (DDoS) attack against the website of Brian Krebs highlights how insecure the Internet of Things is. Brian Krebs, a cyber-security reporter, was on the receiving end after he exposed and led to the arrest of two proprietors of an online attack-for-hire service.
Distributed denial-of-service attacks entail overloading websites and other internet connected systems with traffic and then making them crash. DDoS attacks use insecure internet connected computers to to build a botnet and participate in the attack.
The massive Krebs attack exposed the use of new tactics by cybercriminals. It was new due to the enormous scale and the devices recruited for the attack. CCTV cameras, home routers, digital video recorders and other embedded computers — the Internet of Things — were used for the attack rather than traditional computers.
The IoT is very insecure and requires the attention of the government to fix the problem. The insecurity is a market failure.
Notable companies such as Microsoft, Samsung, and Apple release security patches for their computers and smartphones with regularity. Embedded systems such as home routers and digital video recorders do not enjoy the same security testing and vulnerability patches like computers and smartphones. In fact, most devices cannot be updated. The source code of the Krebs attack botnet has been made public but even then the devices cannot be updated. The best you can do is to throw away the DVRs and home routers since their firmware cannot be updated.
Another aspect of security is that computers and smartphones are replaced quite regularly. However, the embedded IoT systems are rarely replaced. A new DVR is bought every 5 to 10 years while a refrigerator will be replaced once every 25 years. Others like a thermostat are most likely never replaced.
Already the banking industry is grappling with the security problem of ATMs that were embedded with Windows 95. It represents problems that will be replicated all over the IoT.
So, why is it a market failure? The market cannot fix the security problem with IoT systems. Neither the buyer nor the seller cares about security. The owners of the devices want to buy cheap and only care about their devices being functional. After all, they do not know the victims of DDoS attacks. The sellers also do not care since they are currently selling newer and better models.
There is no market solution to IoT insecurity. It has been described as an externality, a term used by economists to refer to the effect of the purchasing decision that affects other people. It has been likened to invisible pollution.
Market failures are only solved by government regulation. Therefore, unless governments take a proactive step, the Internet of Things will remain wildly insecure.
Governments can introduce regulation that requires manufacturers of IoT devices to make them secure irrespective of the fact that their customers don’t care. The security regulations could impose liabilities on the manufacturers that do not comply. The result would be a high cost of insecurity that will force manufacturers of IoT devices to spend money to ensure their devices are secure.
However, government regulation would only be a domestic solution to an international problem. The internet is global and devices elsewhere can be used to mount an attack locally. Cyber criminals can create a botnet of devices in Asia to mount an attack in the United States.
We are still a long way out and a long time from securing the Internet of Things. People can still expect more attacks that utilize the insecure IoT devices. However, all effort should be geared towards building the internet that is resilient to attacks of this kind.