Unregulated 'internet of things' industry puts us all at risk, security experts say
Massive DDoS attacks that exploited internet-connected devices spark calls for better industry standards
Last Friday's massive cyberattacks should serve as a "wake-up call" and a warning to consumers that smart devices designed to make our lives more convenient are also making us unsafe, security analysts warn.
We're at the frontier of an era in which everyday objects — baby monitors, home appliances and even medical devices — come with built-in web connections. But regulation and security measures aren't keeping pace with this phenomenon, dubbed "the internet of things."
"Back in the 1970s, for much of the 1980s, and even into the 1990s, it was hard to foresee just how integrated this far-flung global infrastructure would become with every aspect of our lives and thus have deep security implications," Gabriella Coleman, the Wolfe chair in scientific and technological literacy at McGill University, said.
- Hackers used 'internet of things' devices in massive cyberattack
- Major cyberattack knocks Twitter, Paypal, Spotify offline Friday
"Given the magnitude of this attack, let's hope it can serve as a wake-up call, forcing government officials to more aggressively regulate the production of these devices so that companies are forced to make security a priority."
Otherwise, experts say we can expect to see a lot more cyberattacks that jeopardize individuals, businesses — or as we saw last week — the very fabric of the internet.
Your stuff is the weakest link
While Friday's cyberattacks ultimately targeted big companies like Twitter and Paypal, hackers went through everyday people's personal gadgets to do it.
Internet infrastructure company Dyn, whose customers include some of the world's most widely visited websites, got hit by distributed denial-of-service, or DDoS, attack. That's when hackers overwhelm servers with junk data traffic from malware-infected devices.
Once upon a time, this largely involved infecting and recruiting "zombie" home PCs or printers. But nowadays, our smart devices are the weakest link in the cybersecurity network.
"It's harder to break into workstations and windows devices, so they go onto this new set of devices that are still very much at the early stage of the technology curve," Eldon Sprickerhoff, founder and chief security strategist at the Cambridge, Ont.-based cybersecurity company eSentire, told CBC News.
These devices are part of a rapidly growing market, with hundreds of small, overseas companies churning out millions of cheap products made from outsourced components and code, and they can be infected without ever disrupting their core function.
"You don't know if your device has been compromised. Everything in your house could already be taken over — there's no way for you to know that," tech journalist and author Glenn Fleishman said.
"Until companies issue software updates or even tools to check if your device hasn't been modified, you may be stuck already with something that's always ready to attack."
Sometimes, it's personal
Anyone could find themselves in the crosshairs.
"While the latest attack targeted popular social media websites, in the future such an attack can be used to render more vital sites, like hospital websites, inaccessible," Coleman said.
Or it could be downright personal.
Journalist Brian Krebs' website was the target of huge DDoS attack in September.
- Could hacking medical devices be a 2016 cyber trend?
- Tape over your laptop camera? Why it might not be as paranoid as it seems
It doesn't take a genius to exploit weak devices, Fleishman says. Teenagers can do it.
"This is like everybody has a nuclear bomb," he said. "It has the potential that every day, we could have an attack that's the worst attack we ever had on the internet, and that could happen successively for some time."
'A war in heaven'
Chinese firm Hangzhou Xiongmai Technology, whose now-recalled webcams were targeted in Friday's attacks, has pointed the finger at users who don't change their default passwords.
Fleishman says that's a cop-out.
"There's a habit of user-blaming, which is a thing that the technology industry does when it doesn't want to own a problem," he said.
"Why are users responsible for changing passwords when every device shipping from a given company, the username is 'admin' and the password is 'admin'?"
What's more, some of these devices have hardcoded passwords that even the most tech-savvy user can't reset.
In an article for Macworld, Fleishman called it "a war in heaven," where hackers and big companies are the gods battling it out and consumers are the mortals caught in the crossfire.
"The war is between hackers, who are all individuals and syndicates and so forth, and manufacturers, who have no motivation to improve this, and users are just dying on the battlefield," he said.
With files from Ramona Pringle and Associated Press