We’ve all been there: it’s Friday night, and you can’t connect to Netflix. After successfully pulling up Facebook, the horror sets in: there’s a problem with Netflix. So you grudgingly settle for scrolling through your news feed, instead of binge watching Stranger Things. On October 21, 2016, Netflix and several other websites—Twitter and CNN, to name a couple—were brought down by the largest recorded botnet distributed denial of service (DDoS) in history.
Generally speaking, a botnet is a large number of malware-infected computers that grant someone, presumably a would-be cybercriminal, control of all those machines. When a botnet is used in a DDoS attack, the compromised computers flood the target with continuous, simultaneous connection requests. If the server has more traffic than it can handle, legitimate users won’t be able to connect, and the target often goes offline due to the strain—hence “denial of service.”
What set the October 21 attack apart from run-of-the-mill botnet DDoS attacks is that it heavily incorporated smart devices: Internet-connected appliances, like TVs, DVD players, and even refrigerators. As more devices are brought online, the warnings from experts about the “Internet of things” get louder.
What is the Internet of things?
The Internet of things is, simply put, the collection of smart devices connected to the web. From those aforementioned televisions and refrigerators to cars and thermostats, every smart device promises increased consumer convenience. While using a touchpad on the refrigerator to keep track of what’s inside and order groceries sounds convenient, many of these devices are extremely easy for cybercriminals to hack.
In 2016, NPR covered an experiment involving “a virtual Internet-connected toaster” that didn’t have any layers of security—not even a router firewall. The goal? To see how long it would take for hackers to attack the “smart toaster.” The result? It was targeted a mere 41 minutes after being brought online. Given the fact that the 2016 DDoS cyberattack involved nearly 100,000 devices in total, the experiment’s findings highlight just how vulnerable some smart devices really are.
It’s not news to anyone that modern cars contain electronic components that perform a variety of tasks: measure tire pressure and oil levels, report the vehicle’s speed, provide integrated satellite radio, and automatically engage hill-start and downhill assist braking. But it may raise more than a few eyebrows to learn that hackers can wirelessly apply or disengage a vehicle’s brakes. In a different report, hackers were able to steal a car by using a device that imitates the signals transmitted from the owner’s key fob.
Car manufacturers are trying to plug these security holes, but they seem to be behind the curve. One sign of progress comes from the FTC, which issued draft guidance to manufacturers in 2017 designed to help consumers “make better informed purchasing and use decisions” by recommending companies provide the following information:
• “Can the device receive security updates?
• How does the device receive updates?
• When will that support end?”
A hacker turning off your car’s brakes isn’t what most would call a best-case scenario. Whether considering the immediate or long-term impact, it’s painfully obvious that smart-device manufacturers need to address security risks presented by their products sooner rather than later. The next time you’re looking into buying an Internet-connected smart device, be sure to ask about its network security features.
Ryan Norton, Contributor