Experts have long warned of the imminent security problems with the so-called Internet of Things. They didn’t reckon it would take shape as quickly and as dramatically as it did last Friday (Oct. 21), when IoT-connected devices like home surveillance cameras were hijacked and fashioned into weapons that disrupted vast swaths of the internet for hours.
The security holes in IoT devices were largely hypothetical until now, often appearing in “what-if” scenarios from security experts that resembled plot-lines from Black Mirror. Think of smart cars being driven off roads by evil hackers, or nuclear plants melting down because of malware. But the malware behind Friday’s attack, called Mirai, shows how much more prosaic, and dangerous, the reality of IoT security is: It looks a lot more like an unrelenting flood of spam than Stuxnet.
Back in the late 1990s and early 2000s, email spam was so torrential it was thought to be a nearly “insurmountable” problem (pdf) by the US Federal Trade Commission. The IoT industry might draw parallels to how laws were fashioned to deal with that problem in the wake of the Dyn DDoS attack. The US government response was the CAN-SPAM act, signed into law in 2003, which mandated email-marketers give consumers a way to opt out of mailing lists, with the FTC overseeing the rules. The rules were lambasted at the time, and the naysayers were proved right: it’s been called a failure, since spam remains more than 90% of total email volume (pdf). For the IoT world, legislation might target manufacturers, to ensure their devices can’t easily be hijacked.
Nobody in the IoT space today wants ham-fisted laws governing their products. That’s why a variety of industry bodies have been created to try to pre-empt this. One of these is the IoT Security Foundation, which is developing a framework for manufacturers so that their devices meet security best practices. ”At this stage, regulation is a viable option, yet it’s complex and will take time—something needs to happen faster to change behaviors,” says its managing director, John Moor.
Industries can solve problems on their own. Regulation didn’t kill spam, but product innovations like better filters mean that spam has largely been hidden away from the average user, despite continuing to flood mailboxes. Google reckons 0.1% of email in the average Gmail inbox is spam, thanks to its filters. But manufacturers aren’t subject to any certifications when it comes to putting IoT devices on the market right now, unlike, say, hoverboards and other electronics, although existing laws have been used to prosecute hackers for DDoS attacks.
The Internet of Things is expected to only get more dangerous over time. Moor notes that as more “machine to machine” connections go online—a scenario that’s being heavily promoted as part of 5G wireless technology, due in 2020, for instance—there will be even less manual oversight of connected devices, meaning greater potential for their hijacking and abuse. Researchers at Arbor Networks have noted that the type of attack we saw on Friday could be even more disruptive, by making website addresses at the country level, like .co.uk or .tr, unreachable.
Unfortunately for IoT trade bodies and manufacturers, getting everyone to agree on security standards voluntarily has proved a slow, if not impossible, process. As the spiky British tech publication The Register has put it: “The freewheeling idiots of the Internet of Things business need the fear of regulation put into them.” In other words, if the companies manufacturing the things that will populate the IoT don’t get their act together quickly, we won’t get to the Zuckerberg-ian utopia of a smart toaster prepping breakfast. Instead, we’ll wind up with FTC-regulated toasters, fridges, and thermostats, imperfect though those regulations will inevitably be.