Attack of the Internet of Things
The Internet of Things may make our lives easier, but it’s also made the internet more vulnerable. Our connected thermostats, televisions, and printers are easy fodder for hackers who may want to recruit them into a bot army, like the one that took down the DNS provider Dyn late last week, bringing the internet to its knees.
More scary still, some connected devices hold human lives in their technological hands. An attack that compromises digitally automated insulin pumps and connected cars, for instance, could prove to be fatal.
Washington Post technology reporter Andrea Peterson says that the internet’s layered architecture and the global scope of its vulnerability make it unlikely we’ll be able to shore up internet security soon, and certainly not all at once.
Andrea Peterson is a technology reporter for the Washington Post. She’s based in Washington, D.C.
IRA FLATOW: This is Science Friday. I’m Ira Flatow. Remember last Friday, cyber attack on the DNS provider Dyn brought the internet to its knees. Major websites like the New York Times and Netflix and Twitter were down. In fact, we had trouble tweeting during this show last week because of it. We had no idea why these things weren’t going through until we found out.
But while the attacks did make things inconvenient for many of us, we didn’t feel threatened. Our bank accounts were safe. Our private data wasn’t compromised this time. Cybersecurity experts agree that this won’t be the only time the internet gets hacked, of course. In fact, the next time it could be a lot worse.
And that’s because the internet has been made vulnerable by us. We are responsible, more specifically, our connected devices. When your thermostat in your home security system, your baby carrier, or whatever– they’re all connected to the internet. And as many of these are these days that means they are vulnerable to being hacked and being programmed to actually carry out that cyberattack. I don’t know, maybe your refrigerator was involved in this sort of thing.
How bad a situation have we created for ourselves? And can we unlink our devices so that they’re safe from hackers but still useful to us? Joining me to discuss the problem of the internet of things is my guest. Andrea Peterson is technology reporter for the Washington Post. Welcome to Science Friday.
ANDREA PETERSON: Thanks so much for having me.
IRA FLATOW: So we know about the attack last Friday that virtually broke the internet was done using the internet of things. Explain how that happened.
ANDREA PETERSON: So as you mentioned sort of in your lovely intro there, what happened was somebody attacked Dyn, which is this company that provides a really key service that helps you and me and everyone else get to a lot of the websites they want to visit. It basically is kind of like a directory for the internet. It makes it so when you type in a URL, you actually end up at the website that you want to be at.
But somebody decided to blast Dyn with a really astounding amount of web traffic all at once in an attack that’s commonly known as a distributed denial of service attack, or DDOS attack, but I’m probably not going to bring up that term again. It’s jargon. Who needs it? But one of the most notable things about this beyond the fact that it showed just how weak our internet infrastructure is, because you can attack this one company and take down a lot of really popular sites, was that the place that all this traffic came from was connected devices, security cameras for instance, a baby monitors, all that were controlled by this one kind of malware that’s recently emerged called the [? Mari ?].
IRA FLATOW: So don’t– but don’t these things all have passwords that people set when they use them? Or did they not just change their passwords on these things?
ANDREA PETERSON: So it’s a little complicated actually. A big problem is that a lot of devices have default passwords. And in some cases, those passwords are really hard or even impossible for everyday users to change. They can be kind of hard coded into the device in ways that your average user just isn’t going to figure out.
IRA FLATOW: So are the newer devices generally less vulnerable to this type of attack then?
ANDREA PETERSON: It depends on which devices you’re talking about. Like brand name devices, I’d say yes, generally more secure. But a big problem is that we’re seeing a lot of low end manufacturers, especially in China, that continue to have a lot of security flaws. And even in the high end devices, there are going to be security flaws that show up from time to time. But more likely, they will actually be repaired eventually.
IRA FLATOW: So we have a lot of these cheap devices with hard wired– so-to-speak– passwords in them. And they’re out there, and there are sort of legacy ones that are still around as the newer ones come out that are a little more secure. These other ones are still there. And what’s a person to do? I mean, does that mean we unhook our printer from the internet or is there something we can do to protect ourselves?
ANDREA PETERSON: Well, you can put your– you want to make sure your devices are behind a firewall, if you have one that you haven’t been able to figure out how to change the password on. And also, try to change the password. If you set something up and you don’t know if it had a password on it or you don’t remember, try and find out. Look up the information with the manufacturer or try some other means, googling to try and figure out, hey, is there a better way I could be securing this device.
IRA FLATOW: Well, you know this time we had a sort of– it was an annoyance more than anything else, because we didn’t have anything secure that was attacked. But what would stop in the future from attacking our insulin pumps or our cars or things like that are all connected to the internet?
ANDREA PETERSON: So that’s the fun and also scary thing. A lot of devices are showing up to be insecure. There’s been some really interesting research actually on insulin pumps, where some researchers have shown ways to essentially make them kill people if they wanted to. Now, again, like you need to have somebody who has motive and somebody who has access and the skills to do that, but it shows that there are some real world physical safety issues that come about by these little errors that are made in code.
IRA FLATOW: Is there any way to make the internet more secure, given that it’s made to be open and accessible?
ANDREA PETERSON: Well, and that’s one of the things. The internet wasn’t really designed to be secure. It’s kind of this ad hoc network that we’ve built things on over time. And as we saw on Friday, a lot of companies don’t even seem to realize that they are very dependent on this one service. And in fact, there is a way that some of the sites could have avoided that problem on Friday, which is registering with more than one company that provides the same service that Dyn provides. Now, if somebody decided to attack both of the services like that you’re registered with, you’re still going to have a problem. But it’s a good way to back up.
IRA FLATOW: Do we have an idea who did this or why? Could it have been sort of a probing of our internet services to see how vulnerable they are without actually taking them down totally?
ANDREA PETERSON: That’s a good question. Some of the research is actually pointing towards hobbyist hackers, which I think is actually almost scarier than it being really hard core state sponsored hackers who are trying to take down our internet, but instead might have just been kids who were actually trying to take down a major video game network– the PlayStation network, because the code for this particular malware that was used was released on a popular hacker about a month ago. And since then, pretty much anyone can actually use it to create their own network of these compromised devices to blast people with traffic.
IRA FLATOW: Andrea, thank you for taking time to be with us today. Very informative. Andrea Peterson, technology reporter for The Washington Post.