After botnet attacks, stakes rise for security in connected things
Think the internet-connected devices plugged in at your office or home听are safe from hackers? You might want to take another look.
After a recent cyberattack shuttered much of the web by turning insecure connected devices into a massive botnet, experts and policymakers worry that the so-called Internet of Things could be more vulnerable than ever.
That issue was a focal point of conversation at last week's in Washington, hosted by Passcode and , where hackers, security researchers, and government officials warned of the risks of rapidly expanding connectivity, especially within the most critical industries and infrastructures.听
"Most people are under the complete illusion that, oh, they鈥檝e got safety systems. Safety does not factor in security,"听said Ralph Langner, a well-known German security researcher, referring to systems designed to prevent shutdowns at听power plants and chemical facilities. "High value targets must never be connected to the internet. Nobody connects a factory to the internet in order to be more secure."
The event took place a week after unknown attackers deployed the听Mirai botnet, a malicious network made up of听insecure听routers, digital video recorders, and other insecure听internet-connected products, to overwhelm internet performance firm Dyn with phony traffic. As a result, such popular sites as Netflix, Spotify, and Amazon were knocked offline for much of the day.听
Now, with as many as 30 billion devices , security experts who spoke at Security of Things Forum worried听that attack could be听another sign that hackers can take advantage of insecure Internet of Things gadgets to cause serious digital havoc.听
Here are some of the suggestions they made to secure physical devices coming online:
1. Out with the old, in with the new
It's not just hooking up everything cars and defibrillators to the web that听creates security challenges: Many companies and US government agencies听leave themselves vulnerable to hacks by听running old systems and old code 鈥 including that recently turned 50.
"Legacy technologies tend to dominate simply because of size," said Anup Ghosh, chief executive officer of the cybersecurity company Invincea. "In the federal space, we鈥檙e deploying to agencies with 200,000 people. You can鈥檛 just snap your fingers and cover the department."
But that message doesn't seem to be getting through at critical infrastructure facilities, where old, insecure systems can be pervasive.
"It鈥檚 sort of like getting the guys from 1950 to hold hands and talk conversationally with someone born in 1990," says Stan Lowe, an executive adviser at Booz Allen Hamilton who helps develop cybersecurity strategies.
The solution, Mr. Lowe says, is to start over from scratch.听
鈥淭here鈥檚 no way to retrofit this stuff. We鈥檙e going to bolt on security around the old stuff,鈥 he adds.
2. Cyber war is still in its 'teenage years'
December's digital attack against Ukraine's power grid that shut out the lights for more than 230,000 people听鈥 the first such hack to cut out power 鈥 served as another wake-up call proving hackers could soon commandeer critical infrastructure.听
But Mr. Langner, the German security researcher 听says that attack had a lot to with human error, as operators did not shut off manual controls at the impacted facilities.听
"There is a legitimate command that allows you to manipulate the [power supply] via the network,鈥 Mr. Langner said of the tactics that hackers purportedly used to shut down power systems. "You got to be a damn fool if you don鈥檛 disable that functionality. No super hacking involved here, no buffer overflow, you just need to understand how modern products work, you just need to understand the manual.鈥
That could be a significant problem, Langner says, since more states are getting access to destructive cyberweapons, and there are few international rules to regulate their use.听
"What we see today is like the teenage years of cyberconflict. It鈥檚 characterized by rude behavior," he said. "Those with the muscle are like teenagers. They鈥檙e checking out what they can do."
3. Don't disconnect
The distributed denial of service, or DDoS, attack that knocked out Netflix, Spotify, and other popular US websites听on Oct. 21听might seem like a sign to unplug for a while. Not for Charley Snyder. The senior adviser at the Department of Defense has used similar cyberattacks听to encourage the Pentagon to invite hackers to test its systems for software flaws in a public bug bounty program.听
"Too often, I think the government tries to wall itself off from the web," Mr. Snyder said. "That just doesn鈥檛 logically work."
Instead, Snyder said the success of the Hack the Pentagon program to root out bugs in Defense Department systems 鈥 including an 18-year-old who just graduated high school 鈥 shows how helpful it can be to bring an outside set of eyes to security challenges.
"We have quite a big budget, we spend quite a bit on information technology, but it鈥檚 hard to know we have the eyeballs on the systems that they really deserve," he said. "If we could tap into thousands or tens of thousands of people across the country, that seems to be a really meaningful way to use this as a force multiplier."
That doesn't mean setting up US government bug bounties will be easy.
"There鈥檚 not really anything in my experience that鈥檚 as complex as how we secure systems and make them more resilient," said Leonard Bailey, a Special Counsel for National Security in the Department of Justice's Computer Crime and Intellectual Property Section.
But, he says, inviting hackers into the Justice Department to hear out their concerns about federal prosecution of computer crimes has pushed the relationship forward.
"That resulted in going from being yelled at to presenting at Black Hat [hacker conference in Las Vegas]," he said. 听
