You’d be hard pressed to get through more than a few pages of this magazine without coming across the term IoT (Internet of Things), particularly as this particular issue features telecommunications and wireless technologies. As those of us in the electronics industry know, it’s nothing new for Things to be connected to the Internet, but then the marketing types went and latched onto the phrase as an engine to power a shiny new hype machine. What they’ve really done though is fashion a weapon to bludgeon the man in the street senseless, as there is still mass confusion about what exactly the IoT is, and what the implications are: Are there two separate Internets for People and for Things? Do I need a different service provider to access the Internet of Things than the regular Internet? If only it were that easy.
The history of the Internet is littered with examples of why people need to be cognisant of their cybersecurity, and the dangers of not being vigilant when using anything from a smartphone in the mall to a desktop computer in the office. While most of us have certainly become more savvy in this regard, breaches still occur daily, and the point was rammed home to the IoT market recently when a new malware called BrickerBot started doing the rounds.
BrickerBot is not the first or the only such threat to have been unleashed – it follows in the footsteps of the Mirai botnet that used Distributed Denial of Service (DDoS) attacks to crash a number of networks last year. In Mirai’s case, the problem could typically be solved by rebooting the device in question (remote cameras and home routers were apparently its main targets) and immediately changing its login password. The hacker behind BrickerBot, who goes by the name The Janit0r, created it to be a far nastier beastie. It scans the web for devices using a default password and proceeds to wipe their memory, corrupt their storage, and disconnect them from the Internet, essentially rendering them as useless as a brick, hence its name.
With so many Internet-connected things nowadays, ranging from computers and smartphones to fridges and light bulbs, BrickerBot has no shortage of potential targets, and it has grown progressively more virulent. Version 1 attacked close to 2000 devices in its first four days, while version 3 took only 24 hours to achieve nearly 1400 infections. A fourth version has now been spotted in the wild, and only time will tell how aggressive it will prove to be. It’s one thing for a consumer gadget to be bricked, but imagine how much more costly the implications could be for a bank, or any business for that matter. In the case of something like an oil refinery or airport the consequences are potentially lethal.
In no way do I condone what amounts to Internet vigilantism, but I hope such attacks will prove to be the wake-up call the industry needs to take the problem more seriously. As a most basic measure, any device with an Internet interface could ship with such interface disabled until such time as the user activates it by registering the device with its manufacturer, similar to the way Microsoft handles Windows activations.
It could be made a prerequisite for activation that the password be changed to something that meets strict complexity criteria. Inconvenient? Certainly. Expensive for device manufacturers to implement and administer? Undoubtedly. Perhaps there’s even some reason I haven’t thought of that would make it totally unfeasible. Surely if some clever people out there put their minds to it they could come up with a more elegant solution, but anything would be better than the haphazard way IoT security has been treated up until now.
The virtual wall that protects the IoT from the trolls prowling outside is only as steadfast as the security that holds it together. A wall, without strong mortar, is nothing but a neat pile of bricks.
Brett van den Bosch