What the Internet-of-things DNS attack means for the digital society
The cameras are attacking! The printers are going rogue!
A journalist at 52insights, Alex Gray, asked me to comment on the network-based attack on the domain name system managed by Dyn, via net-enabled devices like cameras and printers. It’s the first major distributed denial-of-service (DDOS) attack to “weaponize” Internet-of-things (IoT) devices — and points to even more trouble to come. Or, as I put it below: “one of the pathologies of big data.”
Since only a smidgeon of one’s views ever make it into an article, below are my fuller thoughts:
The attack on Dyn seemed to wake people up to the dangers of smart devices. Why was this attack not foreseen? Or was it?
The Dyn attack was absolutely foreseen for many years — it’s just that no one believed the warnings. Security experts have been screaming about the vulnerabilities of the internet for two decades, which is made even more insecure by net-enabled devices like printers, baby-monitors, cameras and wifi routers. They are all “sleeper agents” for this sort of attack. But no one likes to listen to worriers. And because internet security consultants are also sell their services, their warnings seemed to be motivated by self-interest. So their warnings were ignored.
Was this a matter of not thinking through the implications of technology before making it commercially available?
It’s worse than that: there’s no incentive to build strong security into net-enabled products. The technology of the internet developed quickly because it’s an “open network,” which means anyone can connect to it. That’s unlike a network like a mobile carrier’s, where you need to have a contract and pay. So the net is cheap and easy for ISP, and thus for content creators (think Twitter) and customers (you). But openness comes at a cost. It’s vulnerable. This wasn’t a problem when the net was built — the only users were US military contractors. But we are now suffering the consequences of its liberalism. The attack has to be seen as one of the pathologies of big data.
The root of the problem is that there’s no incentive to build strong security into products. No one buys a printer or digital camera because their wireless chip have strong encryption; people care about printouts and pixels. And the cost of the attack is not born on the gadget companies or their customers but on another class of people entirely — the public — long after the purchase decision. So security is just an added cost, and in the low-margin hardware business, companies do the bare minimum and hope for the best, while customers don’t care.
Is there anything that can be done now to prevent another large scale attack on the internet?
We need to require strong security for IoT products, but not via government regulation but market-place mechanisms. If the courts made IoT manufacturers liable for monetary damages as an “accessory to the crime” unless less they took all necessary precautions, then the manufacturers would need to hold insurance against suits, and to lower premiums and be eligible for coverage, they would need to regularly demonstrate sound security practices. The cost would be passed on to consumers industry-wide. So we’d a pay a smidgeon more for our hardware but there would be at least a bit better security. It wouldn’t solve the problem because there is no solution to it, but it would help manage the problem by making such attacks just a little bit harder to pull off.
What do you think this means for the future of the Internet Of Things? Is it a major setback, or will security issues simply be fixed and made better?
No one will care in a few minutes. We live in a post-reality universe. People know cigarettes cause cancer and still smoke. People know they need to save for retirement but don’t. People know complex economic matters require specialist to make decisions but vote on emotional grounds. People know of the dangers of nuclear weapons but vote for untried, erratic, irresponsible leaders. Please don’t expect rationality to rescue the internet from the risk of the Internet of Things — it ain’t gonna happen. We just need to wait until the next web attack, when we can complain to our mates that we can’t complain on Twitter.
