On October 21st, my Spotify stopped working, so I went to Twitter to check if other people had the same problem, and couldn’t because it was also down. The reason for this is a distributed denial of service (DDOS) attack on Dyn, a DNS system which powers much of the architecture behind these sites and others like Paypal, Netflix and Reddit. The concept of DDOS attacks are not new and often don’t even make the news, we have seen the BBC and Donald Trump’s website attacked in January 2016, the Church of Scientology was attacked in January 2008 and even smaller political groups like Occupy Central in Hong Kong were targeted in June 2014.
The basis of a DDOS attack is simple, somebody gets control of millions of devices and has them access something at the same time, effectively crashing the underlying servers and thus the entire site. This can only be effective of certain sites, as trying to do this to somebody like Google or Facebook, who can accept billions of requests at a time, would perhaps slow them down a bit, but not crash them.
It was this kind of attack that shut down Twitter et al on October 21st, but this attack was different to many others in that it was not done by millions of computers, it was done by smart things. So rather than accessing sites through a connection on a PC, it was done by fridges, plug sockets, baby monitors and even kettles. This was an attack conducted by IoT connected devices, which have little robust security because essentially they are too dumb.
We are seeing the spread of the IoT having some amazing impacts on our society, with our world becoming more connected than ever, but some of this connectivity is coming at a price.
One of the key issues is that the spread of the IoT means that there is consumer demand for it, with the smart thermostat market alone growing by 123% in 2015. Alongside this demand comes the need to create the cheaper products that consumers demand with one of the most expensive developments being giving them enough computing power to run effective firewalls and security. This is scrapped for less robust and cheaper alternatives, which is what led to the attacks in late October. Essentially, companies are making their smart devices as dumb as they can.
With this kind attack making the news, it should act as a battle cry for IoT devices to become more secure from this kind of attack but also to educate consumers to protect themselves too. Dr Mercedes Bunz, a senior lecturer at the University of Westminster believes that consumers ‘just keep their default passwords and they are so easily hackable and they are very easily turned around into a little bot, because that doesn’t need a lot of memory.’
So protecting data and IoT connected devices is not simply going to be about putting new firewalls in place or increasing memory, but about educating the general public about how to protect themselves. It needs to be done in the same way that internet users are often prompted to change their passwords or think carefully about opening suspect looking emails. It ultimately doesn’t matter if you have the best security systems on your fridge, if you keep your password to it as ‘admin’.
Protecting data and connected devices needs to be a priority for those aiming to grow the industry further and this can only be done through a mixture of improved basic security and customer education. If these kinds of attacks become common there will be backlashes against smart connected technologies which will only slow down further development of the IoT, which is something nobody wants to see.