For as long as there’s been an internet, its evangelists have assured us increased connectivity will yield a brighter future.
The web, they’ve said, will bring us closer through new forms of mass communication, connect us to business and government to give us more power over our lives, and deliver a whole new world of goods and services.
We got all that, and almost all of us have benefitted in some way from the fruits of the technology. But we also got massive disruptions and job losses in industries from banking to entertainment, the rise of menacing troll culture and—as we were reminded once again on Oct. 21—a frightening vulnerability to hacking, viruses, and other attacks.
Yesterday’s distributed denial of service attack, or DDoS, took advantage of the latest wave of innovation that we’ve been promised will only improve our lives: the Internet of Things. By connecting all manner of devices, from cars to appliances to clothing, to the web, we’ll realize more convenience and efficiency. We’ll be able to adjust our thermostat before we get home and have milk delivered when the refrigerator senses we’re running out. According to one analysis, 6.4 billion devices will be online by the end of the year.
But the gadgets connecting the Internet of Things, or IoT, haven’t been designed with the robust security we now take for granted on our phones and laptops. According to technology security expert and author Brian Krebs, yesterday’s attack may have been the result of a program called Mirai, which exploits vulnerabilities in cheaply made cameras and digital video recorders that are connected to the internet:
Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.
Krebs thinks it’s likely that these cameras and DVRs were made by Chinese companies for installation in products made by other manufactures. Because they’re embedded in televisions and other equipment, they’re not designed to be updated and setting new passwords might be impossible. A similar attack last month involved as many as one million Chinese-made cameras, the Wall Street Journal reported (paywall).
As more devices are connected to the web, our vulnerability only grows, and the machines hacked might not just be relatively harmless gadgets like cameras but potentially lethal tools like cars. Last month, Chinese tech company Tencent alerted Tesla it was able to hack into its cars and activate their driving and braking systems, according to Wired. Tesla has since beefed up security in all its cars.
The solution is likely new, industry-wide standards for security and an independent organization that can issue seals-of-approval for packaging that attest to the safety of products, so customers can know what they’re buying, Krebs says. The European Commission is already drafting requirements—but they won’t fix the billions of vulnerable devices already out there.
In their rush to give us the new and improved, technology companies wave off concerns about the unintended consequences of digital lifestyles. Security flaws are just another bug to be fixed, or better, an opportunity to market a new product.
Many of Silicon Valley’s moguls embrace a quasi-libertarian outlook that rejects regulation and say technology can solve problems the government can’t. But our crippling vulnerability to malicious attacks is a problem created by technology, and if they can’t fix it, governments must.