When the Internet of Things becomes the Internet of Stings

Stuart Fuller

“The Skynet Funding Bill is passed. The system goes on-line August 4th, 1997. Human decisions are removed from strategic defense. Skynet begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern Time, August 29th. In a panic, they try to pull the plug.”

In our quest for simplicity, we today want smart technology that we can control from the palm of our hands. Lighting, heating and front doors can all now be controlled remotely through the Internet, via apps on our phones, making our lives easier. More and more devices will follow this trend in the future as technology manufacturers look to make their products more attractive to consumers.

But what happens when some of these devices become self-aware? I’m not talking about the prophecy outlined above in the quote from The Terminator, but when our connected devices start doing things they aren’t supposed to, are we a step closer to the Hollywood version of the future than we really think we are? Sounds far-fetched, but in the past 12 months we’ve seen a huge amount of cyber-security activity where the attack vector has changed from nameless, faceless hackers sitting behind screens in a far-off darkened room to hijacked devices around our home.

“In a relatively short time, we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters”, tweeted Jeff Jarmoc, Salesforce.com’s Head of Security. Amusing as his tweet was, it is 100% true.

Back in October 2016, an unprecedented attack on the DNS network of one firm had a crippling effect not just on firms that relied on its infrastructure but also on any belief we had that the Internet was invulnerable to such an incident. The attack was a distributed denial of service (DDoS) attack, on a scale that few thought possible. What made this incident so different from any other DDoS attack was the way that those responsible managed to infect so many of these smart home devices and make them flood the DNS network with traffic, whilst their owners were completely oblivious to what was going on under their very noses.

Websites such as Netflix, Amazon, The New York Times, Reddit, Twitter and Spotify were taken offline, whilst disruption to the payment platforms offered by MasterCard and PayPal affected hundreds of thousands, if not millions, of consumers trying to buy their goods online.

The term ‘Internet of Things’ was coined by Peter T. Lewis in a speech given in 1985. In his speech, he states that The Internet of Things, or IoT, is the integration of people, processes and technology with connectable devices and sensors to enable remote monitoring, status, manipulation and evaluation of trends of such devices. Over 30 years later, we interact with such devices daily. Our homes are becoming host to many connected devices, whether they’re door bells, fridges, boilers or even toasters. All of them have username and passwords set by the manufacturers and although they may recommend we regularly change the security details, very few of us ever do. This leaves a huge vulnerability that the hackers in the Mirai botnet DDoS attack exploited.

Some hardware manufacturers have already taken steps to try to stop a similar style attack taking place, updating the firmware of their products or even, in the case of one Chinese router manufacturer, recalling thousands of products. However, the most important lesson here is for us, the consumers. Always change default username and passwords of any connected devices, and make them unique so that if someone is able to compromise one device, they will not be able to use the same login credentials to access any other smart devices.