CybersecurityCould your kettle bring down the Internet?

By Ansgar Koene and Derek McAuley

Published 26 October 2016

How could a webcam help bring down some of the world’s most popular Web sites? It seems unlikely but that’s what happened recently when hackers attacked the Internet infrastructure run by U.S. firm Dyn, knocking out services including Paypal, Twitter, and Netflix. More accurately, the attacked involved potentially hundreds of thousands of surveillance cameras and digital video recorders connected to the Internet that had been weaponized by the hackers. Such a high-profile attack demonstrates just how serious the security flaws are in the tech industry’s current approach to the Internet of Things. Without a significant change in the way these devices are designed and used, we can expect to see many more instances of Internet-enabled cameras, TVs, and even kettles used for nefarious purposes. It is time for developers to grow up and take responsibility for their designs or risk interference from regulators.

How could a webcam help bring down some of the world’s most popular Web sites? It seems unlikely but that’s what happened recently when hackers attacked the Internet infrastructure run by U.S. firm Dyn, knocking out services including Paypal, Twitter, and Netflix. More accurately, the attacked involved potentially hundreds of thousands of surveillance cameras and digital video recorders connected to the Internet that had been weaponized by the hackers.

They were infected with malicious software that turned them into a “botnet,” a network of devices controlled by an outside force. This was then used to flood Dyn’s infrastructure with activity, grinding it to a halt. These so-called distributed denial of service (DDOS) attacks are a common technique among cybercriminals. But this was only the second recorded time a DDOS attack involved what’s known as Internet of Things devices — devices other than PCs and mobiles that are connected to the Internet.

Such a high-profile attack demonstrates just how serious the security flaws are in the tech industry’s current approach to the Internet of Things. Without a significant change in the way these devices are designed and used, we can expect to see many more instances of Internet-enabled cameras, TVs, and even kettles used for nefarious purposes. They are perhaps even becoming part of a hacking service for hire.

Until now, concerns about the Internet of Things have largely focused on privacy. Hackers have shown they can gain control of Internet-enabled security cameras and even baby monitors to spy on people’s homes. Even if you cover up your webcam when you’re not using it — as it seems Facebook founder Mark Zuckerberg does — devices like Internet-enabled TVs and thermostats could also allow criminals or governments to monitor your movements.

There has been an (unspoken) attitude in many parts of the tech industry that because users often ignored privacy settings on social media showed they didn’t really care about the issue. But with the weaponizing of Internet of Things devices, there is a growing possibility that manufacturers could be held to account for security vulnerabilities through lawsuits and damages claims brought by corporate victims of DDOS attacks.