The Internet of Bad Things

Computer code is in everything. Everything is connected. And that’s the problem.

| Spring 2018

  • Human Hand Using Application on Mobile Phone, Smart Homes.
    Photo by Getty Images/ Onfokus
  • Hacker using laptop. Hacking the Internet.
    Photo by scyther5

On a Tuesday evening in late September 2016, Brian Krebs, one of the internet's most prominent cybercrime reporters, noticed a startling surge in his blog traffic. It did not take him long to understand that he was under attack. Someone, whom he subsequently spent months working to track down, had seized control of hundreds of thousands of internet-connected devices, including home routers, video cameras, DVRs, and printers, to create a botnet, a sort of digital zombie army. Instead of performing their normal functions, these various devices, all of which were capable of transmitting data to the internet, obeyed a command to pummel the server that hosted Krebs' blog with vastly more traffic than normal sites expect to handle in an entire month. The assault, called a distributed denial of service, or DDoS attack, overwhelmed the server and knocked Krebs' blog off the internet for three days. The digital security specialists Akamai later reported that it was nearly twice as large as the biggest attack they had seen previously.

It wasn't long before they saw a bigger one. One month later, the same botnet knocked major websites such as Twitter, Amazon, Netflix, Reddit, and Tumblr offline for several hours. That outage was brief, but it demonstrated the vulnerability of the internet's core structural elements.

The botnet used to execute these attacks was named Mirai by the attacker, who goes by the online moniker Anna-senpai. "Mirai" is a Japanese word that means "future." Anna-senpai subsequently released the Mirai source code to the internet, so that hackers could create variants of the malware for new attacks, which they immediately did. What keeps security experts on constant alert is the reality that malicious botnets like Mirai and the attacks they enable—in addition to a host of other cyberweapons now on the internet—are, indeed, the future.

MATT GREEN, a prominent cryptographer and assistant professor in the Johns Hopkins Department of Computer Science, has paid close attention to Mirai. "Entire portions of the internet went down because [devices like] home cameras were hacked, and those cameras had no security built in," he says. "Once you have the ability to generate lots and lots of traffic"—using a botnet of hacked devices to generate a DDoS attack, for example—"you can easily and selectively take down big chunks of the internet because nothing on the internet was designed to fight that."



All the world's computers, any other device that contains a computer chip, the internet itself, all run on computer code. "It's hard to overstate the degree to which our world is dependent on software systems," says Eric Rescorla, a fellow at Mozilla, the nonprofit organization that developed the Firefox web browser. (Rescorla has co-authored communications security research with Green.) "A huge fraction of the devices you use on a daily basis, ranging from thermostats to watches to cars to aircraft, are actually computers."

The code in many operating systems and web browsers is much more secure now, and it's regularly updated whenever someone finds a new vulnerability. But the code in so many consumer devices is much less secure because manufacturers don't design them to be secure; it's more expensive and not their priority. Increasingly, all these devices, along with their shoddy security, are connected to the internet. Your fitness watch, your home security cam, your bathroom scale, the E-ZPass toll collection gizmo velcroed to your windshield, your DVR, possibly the very locks securing your house—all connected. Economic surveys estimate there will be more than 50 billion internet-connected devices by 2020, and that 70 percent of the population will have smartphones, each one vulnerable to hackers.

dougjt
5/14/2018 9:50:15 AM

Thinking about complex problems requires precision and clarity, and the Internet is no different. Lumping everything - from the actual infrastructure that transports packets, to individual hosts (computers), to complex applications and back end systems - together into "the Internet" makes the problem much harder to understand. It is not a single system or even a single layer of systems, and that is both a strength and a weakness. The Internet's technical success is no accident - from the earliest days, it was explicitly based on the loose coupling of systems. Loose coupling means more resiliency for the same reasons that decentralized organizations can be more resilient than tightly integrated top-down organizations. Loose coupling means that owners and operators are responsible for choosing good security and good maintenance practices. Inevitably, it means there will always be vulnerable devices and systems on the Internet, just as there will always be vulnerable and poorly maintained assets in the physical world. Perfect security is impossible, but our dismal track record is at least as much human as it is technological. Consumers don't educate themselves or practice diligence. For organizations, IT is a cost to be minimized than any fundamental technical limits. Somehow, we seem to be shocked that the virtual world is like the physical world, but in reality, this is inevitable. Should we be surprised that inattention and poor maintenance leave us with shoddy technology?