Technology & Science

Unregulated 'internet of things' industry puts us all at risk, security experts say

Last Friday's massive cyberattacks should serve as a "wake-up call" to alert the public that internet-connected devices designed to make our lives more convenient are also making us unsafe, security analysts warn.

Massive DDoS attacks that exploited internet-connected devices spark calls for better industry standards

Baby monitors are one of the increasing number of so-called smart devices that come connected to the internet. Security experts are warning that such devices can leave consumers vulnerable to hacking and are urging governments to more closely regulate their production. (Steve Marcus/Reuters)

Last Friday's massive cyberattacks should serve as a "wake-up call" and a warning to consumers that smart devices designed to make our lives more convenient are also making us unsafe, security analysts warn.

We're at the frontier of an era in which everyday objects — baby monitors, home appliances and even medical devices — come with built-in web connections. But regulation and security measures aren't keeping pace with this phenomenon, dubbed "the internet of things."

"Back in the 1970s, for much of the 1980s, and even into the 1990s, it was hard to foresee just how integrated this far-flung global infrastructure would become with every aspect of our lives and thus have deep security implications," Gabriella Coleman, the Wolfe chair in scientific and technological literacy at McGill University, said.

"Given the magnitude of this attack, let's hope it can serve as a wake-up call, forcing government officials to more aggressively regulate the production of these devices so that companies are forced to make security a priority."

Otherwise, experts say we can expect to see a lot more cyberattacks that jeopardize individuals, businesses — or as we saw  last week — the very fabric of the internet.

Your stuff is the weakest link

While Friday's cyberattacks ultimately targeted big companies like Twitter and Paypal, hackers went through everyday people's personal gadgets to do it.

Internet infrastructure company Dyn, whose customers include some of the world's most widely visited websites, got hit by distributed denial-of-service, or DDoS, attack. That's when hackers overwhelm servers with junk data traffic from malware-infected devices.

Once upon a time, this largely involved infecting and recruiting "zombie" home PCs or printers. But nowadays, our smart devices are the weakest link in the cybersecurity network.

"It's harder to break into workstations and windows devices, so they go onto this new set of devices that are still very much at the early stage of the technology curve," Eldon Sprickerhoff, founder and chief security strategist at the Cambridge, Ont.-based cybersecurity company eSentire, told CBC News.

These days, it's not hard to find home devices and appliances such as thermostats, above, smoke detectors and refrigerators that can be controlled from afar by way of the internet. (Eric Risberg/Associated Press)

These devices are part of a rapidly growing market, with hundreds of small, overseas companies churning out millions of cheap products made from outsourced components and code, and they can be infected without ever disrupting their core function.

"You don't know if your device has been compromised. Everything in your house could already be taken over — there's no way for you to know that," tech journalist and author Glenn Fleishman said.

"Until companies issue software updates or even tools to check if your device hasn't been modified, you may be stuck already with something that's always ready to attack."

Sometimes, it's personal

Anyone could find themselves in the crosshairs.

"While the latest attack targeted popular social media websites, in the future such an attack can be used to render more vital sites, like hospital websites, inaccessible," Coleman said.

Or it could be downright personal.  

Journalist Brian Krebs' website was the target of huge DDoS attack in September.

Someone can take over your webcam or baby monitor and spy on you, or hack into your security system or medical devices such as insulin pumps and pacemakers.

It doesn't take a genius to exploit weak devices, Fleishman says. Teenagers can do it.

"This is like everybody has a nuclear bomb," he said. "It has the potential that every day, we could have an attack that's the worst attack we ever had on the internet, and that could happen successively for some time."

'A war in heaven'

Chinese firm Hangzhou Xiongmai Technology, whose now-recalled webcams were targeted in Friday's attacks, has pointed the finger at users who don't change their default passwords.

Fleishman says that's a cop-out.

"There's a habit of user-blaming, which is a thing that the technology industry does when it doesn't want to own a problem," he said.

"Why are users responsible for changing passwords when every device shipping from a given company, the username is 'admin' and the password is 'admin'?"

What's more, some of these devices have hardcoded passwords that even the most tech-savvy user can't reset.

In an article for Macworld, Fleishman called it "a war in heaven," where hackers and big companies are the gods battling it out and consumers are the mortals caught in the crossfire.

"The war is between hackers, who are all individuals and syndicates and so forth, and manufacturers, who have no motivation to improve this, and users are just dying on the battlefield," he said.

About the Author

Sheena Goodyear is the digital producer for CBC Radio's As It Happens. Originally from Newfoundland and Labrador, her work has appeared on CBC News, Sun Media, the Globe & Mail, the Toronto Star, VICE News and more.

With files from Ramona Pringle and Associated Press


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.