The internet of insecure things

On 23 September, the website of Brian Krebs, a journalist and researcher specializing in security, was the victim of a distributed denial of service (DDoS) attack.

So far, so — relatively — normal: these types of attacks are sadly common on the web both for lawful purposes such as organized protests (the equivalent of a demonstration in the street), and illegal activities (silencing opinion, blackmail, etc.), to the extent that there are rental botnets services to carry them out. The fact that Krebs has covered such practices by cybercriminals, reducing their ability to operate, forcing them to find new methods, makes him routines victim.

In this case, however, the attack was of a far higher magnitude than normal, more than double that seen so far, and a lot of the devices trying to log on the page were not computers but were surveillance cameras, digital video recorders, and other home routers connected to internet of things (IoT) objects. A particular software, known as Mirai, collected 68 pairs of generic user passwords used in these kinds of devices that are readily available and did not require the user to adapt them in any way, which made them very vulnerable. Welcome to the so-called Internet of Insecure Things, which I’ve been talking about for some time.

This isn’t the first attack of this kind I’ve heard about by criminals who want to stop somebody from showing how they commit crimes: initially, what happens is that those targeted take a “devil take the hindmost” approach: Akamai, which offered Krebs free hosting, was going to deregister the site due to the problems it was causing them, until it realized what a PR disaster this would be, and in the end it was Google’s Project Shield that came to the rescue.

The post-mortem of the attack suggests that most of the devices used were connected within the EMEA region, and also shows how easy the attack was to organize by seizing control of conventional computers. We face a potentially gigantic problem: as the great Bruce Schneier says, we must save the internet from the internet of things, because silencing someone has never been so easy and so cheap as now. Living in a world where anyone can threaten, blackmail or silence at will is not good for anyone.

It is not easy to maintain our guard on issues related to security: we tend to associate risks with ourselves, to minimize the likelihood of them happening, and to assume that by installing things properly we have done our bit, when the reality is that in many cases these devices often leave much to be desired in terms of their standards and, sometimes leave default passwords in easily visible locations.

The mind-boggling mishmash of manufacturers, protocols and companies behind the IoT ecosystem looks set to lead to attempts to regulate via public institutions, an approach I’m not always sure is a good idea and that will very likely become another part of the problem. Attaching a computer to every lock, thermostat, bulb, car and anything else we can think of can be very useful, but we must not forget that an internet-connected computer can cause us and everybody else a lot of problems.

The last few days will have been very unpleasant for Krebs, who will have seen his website fall victim to attacks from the very people he is fighting. But at the end of the day, he is a journalist and this is what he does, what’s more, he will have been given a lot of visibility, as well as an understanding of the scale of the problem and support from the right people to defend himself. This will not be the only attack of this ese characteristics. No, security is not an easy task. But every day, it is a task of all.

(En español, aquí)