For the Love of God, Change Your Default Passwords: The Existential Threat of the Internet of Things

“We’re building an internet that senses, thinks, and acts. We’re building a world-size robot, and we don’t even realize it.” — Bruce Schneier

“What is this ‘Internet of Things’ and what does it have to do with me?”

Everyone is familiar with the Internet of Things, even if they don’t know it by its official name. It’s a catch-all term referring to every device with Internet connectivity which is not a PC, tablet, or smartphone. For several years now, tech manufacturers have been enamored with the idea of making everything from baby monitors to body sensors capable of Internet access—ostensibly so the data those devices collect can be used to enhance the convenience and efficiency of the lives of their users. Internet of Things devices have become standard in nearly every industry, from the usual suspects (routers, security cameras, DVRs) to the trendy newcomers (toasters, refrigerators, coffeemakers). Internet of Things devices can also include modern cars, which are built with sensors that notify drivers of dangerous conditions—and modern homes, which come with WiFi-connective thermostats that manage energy consumption.

Internet of Things devices aren’t limited to everyday consumers. There’s room on the bandwagon for corporations and governments as well. For example, cities install a type of Internet of Things device on streetlights to adjust light output by time of day, season, and weather conditions.1 Farmers use data gathered from sensors monitoring soil moisture, pesticide usage, and weather forecasts to remotely oversee their farms’ resources and quickly identify crop issues.2 The Internet of Things has even been used for wildlife conservation—a research group fitted the lions of southern Kenya with tracking collars, which communicate their location to the researchers via text message (as well as to the local cattle herders, who have a vested interest in knowing the location of the nearest lion at all times).3

With its widespread adoption by consumer goods, corporations, and governments, the Internet of Things has become inextricably entwined with modern society. This is unlikely to change, as the number of devices which are members of the Internet of Things currently exceeds that of the human population and is conservatively estimated to surpass 50 billion by 2020.4 The allure of the Internet of Things is understandable—it represents the possibility of a global network of convenience and prosperity. However, the manufacturers responsible for this brave new world overlooked a fatal flaw in their frenzy to capitalize on it—namely, the security (or lack thereof) of the devices with which they have flooded modern society. The fact that the market has permitted this to happen cries out for government intervention in the form of regulation or legislation.

We can no longer afford to allow the law to lag behind technology.5 “Security should be baked in, not bolted on” is an old-school IT mantra. The fact that it remains relevant today is meaningful in itself, especially since the general industry practice—absent regulation—is to manufacture Internet of Things devices without sufficient security features,6 prompting widespread litigation. A 2015 lawsuit against Chrysler alleged negligence, fraud, and breach of warranty stemming from vulnerabilities in the uConnect system it installed in certain Dodge, Chrysler, and Jeep vehicles, which was so unsecure that criminals could easily breach it and subsequently override steering, acceleration and braking systems.7

Similar lawsuits relating to Internet of Things security vulnerabilities have been filed against medical device,8 home security systems,9 and children’s toy10 manufacturers—to name but a few. However, none have reached any sort of meaningful resolution, and thus manufacturers have no incentive to materially improve the security of their devices. This leads to stories such as one recently published in the San Francisco Globe, which detailed the horrors a young family experienced after their baby monitor was hacked.11 The stranger spoke disturbing messages to their 3-year-old child and watched him through the camera on the device.12 The monitor was vulnerable simply because it was connected to the home’s WiFi network and secured by no more than a default password—child’s play for any dedicated hacker. Writ large, this failure by both manufacturers and consumers to take adequate security measures may represent a fatal flaw for the Internet as we know it. Government intervention—while it may not be a panacea—would certainly mitigate the most dire of these threats.

The Consequences of Allowing the Industry to Remain Unchecked

As unsettling as those individual threats were, they were merely individual threats—one cybercriminal infecting one device at a time. Consider, then, the implications of one cybercriminal infecting hundreds of thousands of devices at a time. This is known as a “botnet.” Botnets have been around for at least a decade, but the recent explosion in popularity of cheap, unsecured Internet of Things devices has made them exponentially more effective. Although the concept of botnets is foreign to most—and may even be science fiction to some—the threat it poses to modern society is unquestionably of paramount importance. Should the legislative and regulatory bodies continue to turn a blind eye, it could very well threaten the Internet itself.13

Internet of Things botnets are created by computer viruses which search the Internet for unsecured devices connected to it. Once the viruses find their targets, they burrow into them and take control—of course, the unsuspecting consumers who own these devices are none the wiser.14 And because most Internet of Things devices weren’t manufactured with security in mind and don’t have the capability to receive software updates, it’s almost impossible to remove malware from an infected device.15 No, you can’t just turn it off and turn it back on again. The only solution is to throw it out and get a new one.16

One particular botnet, known as “Mirai,” infected an estimated 600,000 routers, printers, DVRs, and security cameras in late 2016,17 primarily enslaving cheaply made and unsecured devices in Brazil, Colombia, Vietnam, and China.18 The criminals controlling this botnet used the devices under their command to perform large-scale network attacks, formally known as distributed denial of service (DDoS) attacks.19 One of the targets of these attacks was Rutgers University. From 2014 to 2016, Rutgers suffered nearly a dozen attacks from the Mirai botnet. The attacks disabled Internet access across the campus and crippled the school’s network infrastructure.20 Why would someone use the Mirai botnet to attack Rutgers? As it happened, the brains behind it were not anarchists or foreign agents, but two college kids: Paras Jha—a student at Rutgers—and Josiah White.21

Jha and White were the co-founders of a company which specialized in mitigating large-scale DDoS attacks.22 They unleashed the Mirai botnet on unsuspecting institutions and then attempted to sell those companies their services, which they claimed would fend off their attacks.23 Rutgers was one such institution. Jha admitted in court that to be as disruptive as possible, he timed the attacks during midterms, finals, and class registration periods.24 After taking the Rutgers network down, Jha recommended (anonymously, of course), that Rutgers invest in a more effective DDoS mitigation service.25

The fact that two college students crippled the network of a major American education institution for over two years—just because they could—is difficult to come to terms with. Yet this is the reality of the world of the Internet of Things. Although the FBI was finally able to bring Jha and his conspirators to justice in late 2017,26 the Mirai botnet lives on. Jha released Mirai’s code before the FBI could track him down, spawning copycat botnets across the globe. To make matters worse, botnets have become much more sophisticated since Mirai was created. A botnet known as Reaper has already infected over a million devices—twice that of Mirai’s reach—by using software-hacking techniques to guess passwords instead of simply searching for devices with default security settings.27 In layman’s terms, if Mirai infected devices by simply checking for open doors, Reaper is actively picking the locks.

The Necessity of Meaningful Regulation

The circumstances which made the Mirai botnet possible illustrate the fallacy of the “self-regulating market,” a phrase which conservatives will generally invoke at about this point in the conversation. In 2015, the FTC cited the “great potential for innovation in [the Internet of Things industry]” as a reason why imposing regulation on it would be “premature.”28 The FTC went on to argue that because the economic benefits offered by Internet of Things products are almost limitless in potential,29 Internet of Things manufacturers should be left to their own devices, as it were—free from the nuisance of regulation.30

Certain members of the FTC even took the position that since the details and ramifications of the technology which makes the Internet of Things possible are only vaguely understood by most policymakers, “we are going to end up having to experience problems before we understand the nature of the solutions.”31 Never mind the fact that the Internet of Things is expected to reach a market cap of over $195 billion by 2023 (up from $16 billion in 2016)32—the FTC would have the general public put its faith entirely in Adam Smith’s “invisible hand” and in breach of implied warranty. This line of reasoning might be more persuasive if there were less at stake.33

Admittedly, the FTC’s comments were made a year before the Mirai botnet made headlines—and Congress is showing signs of life regarding the issue. In August of 2017, four US Senators introduced the Internet of Things Cybersecurity Improvement Act, which, if it passes,34 will set a bare minimum standard of security by requiring that any Internet of Things product purchased by the government must have the capability to be updated in a timely manner, must not have unchangeable default passwords, and must be free from known vulnerabilities.35 Unfortunately, as of this article, this bill sits in limbo, without having even been voted on by the committee to which it was referred.36 As long as the general awareness of the threats posed by an unsecured Internet of Things remains confined to the tech industry, Congress will continue to sit on its hands.

If both regulation and legislation efforts are futile, then the task of controlling the Internet of Things falls on the shoulders of the judicial system. This is far from ideal. Although high-profile liability lawsuits have been a historically effective corrective measure37 in many industries,38 the defects which gave rise to those suits persisted for years (and sometimes decades) before being brought to the public’s attention;39 hence the eye-popping punitive damages awarded in each case.40 For an industry which has progressed as fast as the Internet of Things has, this is an unacceptable proposition. For the above reasons, I join the voices of industry security experts in their call for increased government oversight.41

Footnotes

1. Echelon, Overview, https://www.echelon.com/applications/pl-rf-outdoor-lighting (last visited Feb. 15, 2018).

2. OnFarm, About, http://www.onfarm.com/about/ (last visited Feb. 15, 2018).

3. Ground Lab, Open Source Lion Tracking, http://home.groundlab.cc/lioncollars.html (last visited Feb. 15, 2018).

4. Fed. Trade Comm’n, Internet of Things: Privacy & Security in a Connected World at i (Jan. 2015), https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.

5. Please disregard the Sisyphean nature of this proposition.

6. Notable exceptions (merely examples, not endorsements): Apple HomeKit, Nest, Amazon Echo, Google Home. Samsung SmartThings. The security of these products does not depend on your WiFi password, which automatically renders them dramatically more secure than the vast majority of the IoT devices out there. (That being said, around 20 million Amazon Echoes and Google Homes were hacked via a Bluetooth exploit in late 2017, which has since been (mostly) patched. Not even the industry leaders’ devices are foolproof.)

7. Flynn v. FCA US LLC., 3:15-cv-855 (S.D. Ill. 2015).

8. Ross v. St. Jude Medical Inc., No. 2:16-cv-06465 (C.D. Cal. 2016).

9. Baker v. ADT Corp., No. 2:15-cv-02038 (C.D. Ill. Nov. 9, 2014).

10. Archer-Hayes v. ToyTalk, Inc., No. BC603467, 2015 WL 8304161 (Cal. Super. 2015).

11. Chante Owens, Stranger hacks family’s baby monitor and talks to child at night, The San Francisco Globe (Dec. 17, 2017) http://sfglobe.com/2016/01/06/stranger-hacks-familys-baby-monitor-and-talks-to-child-at-night/ (last visited Feb. 15, 2018).

12. Id.

13. Justin Paine, a DDoS mitigation expert, gave the following quote in the wake of the Mirai botnet’s attack on Dyn (one of the companies which makes up the “backbone of the Internet”)—“We all realized that this isn’t something that just affects my computer or my network—this could put the entire Internet at risk.”

14. Bruce Schneier, Botnets of Things, MIT Technology Review, https://www.technologyreview.com/s/603500/10-breakthrough-technologies-2017-botnets-of-things/ (last visited Feb. 15, 2018).

15. Id.

16. Id.

17. Garrett M. Graff, How a Dorm Room Minecraft Scam Brought Down the Internet, Wired (Dec. 13, 2017, 3:55 PM), https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/ (last visited Feb. 15, 2018).

18. Id.

19. To perform a DDoS attack, perpetrators use a network of computers and servers to repeatedly send small “packets” of information to a target server. The frequency and multitude of these packets overwhelms the unsuspecting target server, preventing it from responding to legitimate requests for access to the website it hosts. To use the Daily Targum’s excellent analogy: “a DDoS attack is equivalent to the entire Scarlet Knights football team simultaneously tackling someone who was only expecting a handshake” (infra note 20).

20. Nikhilesh De, Cybersecurity expert identifies Rutgers student as DDoS perpetrator, The Daily Targum (Jan. 23, 2017, 12:05 AM), http://www.dailytargum.com/article/2017/01/cybersecurity-expert-identifies-rutgers-student-as-ddos-perpetrator (last visited Feb. 15, 2018).

21. Brian Krebs, Mirai IoT Botnet Co-Authors Plead Guilty, Krebs on Security (Dec. 13, 2017), https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/ (last visited Feb. 15, 2018).

22. Supra note 21.

23. Id.

24. Supra note 17.

25. Id.

26. The Anchorage, Alaska-based cybercrimes unit planted Internet of Things devices into the botnet and painstakingly traced the infection back to the main Mirai control server, thereby identifying Jha and White as suspects.36 Then, like a forensics expert testing for gunshot residue, the agents reconstructed the traffic data of the networks affected by the Mirai attacks, thereby establishing proof that Jha and White’s botnet was the means by which those attacks were accomplished. Supra note 17.

27. Andy Greenberg, The Reaper IoT Botnet Has Already Infected a Million Networks, Wired (Oct. 20, 2017, 5:45 PM), https://www.wired.com/story/reaper-iot-botnet-infected-million-networks/ (last visited Feb. 15, 2018).

28. Supra note 4, at vii—viii.

29. Id. at 7-9.

30. Id.

31. Id. at 47-48.

32. Justin Baker, Internet of Everything: The IoT Market Is Projected to Expand 12x from 2017-2023, Hacker Noon (Oct. 17, 2017), https://hackernoon.com/internet-of-everything-the-iot-market-is-projected-to-expand-12x-from-2017-2023-175f845c2bcf (last visited Feb. 15, 2018).

33. The FTC may be dragging its heels, but at least the intelligence community recognizes the extent of the danger. According to the Director of National Intelligence, Daniel Coats, in his May 2017 testimony at a Senate Select Committee on Intelligence hearing: “In the future, state and non-state actors will likely use IoT devices to support intelligence operations or domestic security or to access or attack targeted computer networks.”

34. Given the current political climate, this is—to say the least—unlikely.

35. S. 1691, Internet of Things (IoT) Cybersecurity Improvement Act, 115th Cong. (2017).

36. Id.

37. Liebeck v. McDonald’s Restaurants, P.T.S., Inc., No. CV-93-02419, 1995 WL 360309 (D.N.M., Aug. 18, 1994) (infamous hot coffee lawsuit in which evidence showed that defendant had been aware of the risk of injury the excessively hot coffee posed for over ten years, however, defendant’s quality control manager testified that despite this knowledge, the coffee’s temperature was never lowered because the general public remained ignorant of the risk of serious injury it posed).

38. Grimshaw v. Ford Motor Co., 119 Cal.App.3d. 757 (Cal. Ct. App., May 29, 1981) (plaintiffs in a products liability suit brought against manufacturer of 1972 Pinto were awarded over $122 million in punitive damages; it was established that Ford knew the placement of the Pinto’s fuel tank behind the rear axle was unacceptably dangerous and could have corrected the defect at minimal cost but elected not to do so).

39. Bullock v. Philip Morris USA, 159 Cal.App.4th 655 (Cal Ct. App., Jan. 30, 2008) (plaintiff’s estate was awarded a record $28 billion in punitive damages; it was established that defendant had been aware that smoking causes lung cancer since the 1960s but repeatedly made public statements to the contrary).

40. Owens-Corning Fiberglas Corp. v. Ballard, 749 So.2d 483 (Fla., August 26, 1999) (plaintiff developed mesothelioma cancer from working with defendant’s products during the 1960s and 1970s and was awarded $31 million in punitive damages; evidence showed that defendant knew of the health risks associated with asbestos yet failed to warn its consumers or remove the asbestos from its products).

41. E.g., Bruce Schneier, Click Here to Kill Everyone, New York Magazine (Jan. 27, 2017, 8:00 AM), http://nymag.com/selectall/2017/01/the-internet-of-things-dangerous-future-bruce-schneier.html (last visited Feb. 15, 2018).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s