The internet was designed to withstand a nuclear attack. But its creators never imagined that baby monitors, toasters and smart TVs could bring it to its knees. We need to make sure that the devices that make up the internet of things can’t be used in the kind of attack that almost broke the internet late last month.
For reasons that I will explain later, that probably means regulating the devices.
First, though, some internet history. At the height of the Cold War, in the early 1960s, the RAND Corp.’s Paul Baran set out to design a military network that could survive a nuclear attack. He wanted to ensure that endpoints could communicate with one another in the face of catastrophic damage wreaked by nuclear weapons. His idea: build a widely distributed, packet-switching network that could route communications around destroyed hardware.
Others had similar ideas, and a lot of idealism was baked into these early internet proposals. J.C.R. Licklider wrote a series of memos laying out his vision for a world-spanning network, to be called the “Intergalactic Computer Network.” The network, he said, should be “an electronic commons open to all” and “the main and essential medium of informational interaction for governments, institutions, corporations, and individuals.” Based in large part on Licklider’s work, the U.S. Defense Department's Advanced Research Projects Agency (ARPA) funded a packet-switched network that eventually became the internet.
Openness, anonymity and freedom from government regulation were at the core of what was built. But now, with countless IoT devices that can easily be weaponized, we’re starting to suffer from that hands-off attitude. The idealism that built the internet also endangers it and opens it up to crippling attacks.
That was made clear in late October when a massive DDoS attack on DNS provider Dyn brought down wide swaths of the internet and disabled dozens of websites, including Twitter, Netflix, Spotify, Airbnb, Reddit and The New York Times. Playing a big role in the attack was a botnet composed of IoT devices infected by Mirai malware. An estimated 500,000 IoT devices, such as security cameras and DVRs, are infected with Mirai, and approximately 10% of them were used in the October attack. In all, Dyn says that 100,000 devices were used in the attack.
The Dyn incident is only the latest in a string of IoT cyberattacks. In late September, an IoT botnet composed of 145,607 hacked digital video recorders and IP cameras targeted the French hosting service OVH. Also in September, a Mirai botnet was used to attack the Krebs on Security website.
Source code for Mirai has been published online, along with step-by-step instructions on how to use it. And reports say that IoT botnets are available for rent, making it even easier for someone to launch an attack. Dale Drew, CSO of Level 3 Communications, said that in the Dyn incident, “We believe that there might be one or more additional botnets involved in these attacks. This could mean that they are 'renting' several different botnets.”
Sign up for CIO Asia eNewsletters.