Welcome to the Internet of Tragically Enslaved Things, formerly merely known as the Internet of Things. It's like the Island of Misfit Toys, but exponentially worse. Nothing can save these devices, they're bespoke, pre-enrolled in nefarious global botnet activity. Or being permanently bricked.
The Internet-connected device market is frothy with promises to innovate and disrupt in ways that are positive and meaningful for humanity. Projections for IoT revenue growth are in the hundreds of billions. Tens of billions of "smart" things with published default credentials and passwords, and easily discovered IP addresses -- what could go wrong? Too late, already sideways:
- Massive IP port scanning software like evilscan makes it easy to locate vulnerable Internet-connected IoT devices, infect then with malware that enslaves their computing power in a botnet, and deploy them in Distributed Denial of Service (DDoS) attacks -- volumetric attacks targeting data centers, connection attacks targeting network firewalls and servers, application layer attacks targeting business applications.
- The appearance of the Mirai virus, in the fall of 2016, was a dubious watershed moment for IoT. Mirai enlisted 100K worth of devices -- mostly security cameras and DVRs -- in a DDOS attack of extraordinary strength (the Guardian), on network service provider Dyn. The 1.2 terabits-per-second Dyn attack far surpassed any previous DDoS attack's strength. It overwhelmed DDoS defenses at Reddit, Twitter, Wired, CNN, causing service interruptions there and elsewhere.
- Another unforeseen, but perhaps not entirely bad, development: the unregulated proliferation of compromisable IoT devices has spawned white hat vigilantism. The Hajime virus, a variant of Mirai, locates bot-nettable IoT devices and blocks access to their four most vulnerable ports. The unforgiving Brickerbot permanently disables the capabilities of IoT devices to connect to the internet (Fortinet).
An underlying problem is that IoT manufacturers aren't required to adhere to a minimum security standard (William & Mary policy review). - Compounding the problem, IoT consumers want plug'n'play things, are oblivious to these risky devices, and are inadvertently providing home-network care and feeding of the Internet of Enslaved Things.
So, can the IoT police itself? Adhere to basic precautions for building, testing, and delivering secure Internet-connected devices, included smart cars, smart TVs, home routers, kitchen appliances? Maybe, if they:
- Use common sense. Generate random admin passwords for each new device, stop exposing irrelevant network ports and services, stop preprogamming devices with telnet and/or SSH ports open to the outside world, and implement mechanisms for devices to self-diagnose at boot time.
- Penalize IoT manufacturers and ISPs who fail to disclose vulns, or IoT malware takeovers, or who don't/won't provide prompt firmware updates following a compromise.
- Design to the industry development and security protocols made for IoT -- most signficantly, MQTT, a low-overhead message transport protocol designed for IoT devices, and Underwriter's Labaoratories CAP standard for test criteria for network-linked products and systems.
Decades ago, IoT security fundamentals were set down by companies making networked devices. The IoT industry, in its gold rush, has ignored these security fundamentals. Now, ironically, IoT's promise to "innovate and disrupt" is a potential black swan that could deliver debilitating attacks on critical services -- banks, hospitals, critical infra -- disrupting economies and putting lives at risk.