Science

Unregulated 'internet of things' industry puts us all at risk, security experts say

Last Friday's massive cyberattacks should serve as a "wake-up call" to alert the public that internet-connected devices designed to make our lives more convenient are also making us unsafe, security analysts warn.

Massive DDoS attacks that exploited internet-connected devices spark calls for better industry standards

Baby monitors are one of the increasing number of so-called smart devices that come connected to the internet. Security experts are warning that such devices can leave consumers vulnerable to hacking and are urging governments to more closely regulate their production. (Steve Marcus/Reuters)

Last Friday's massive cyberattacks should serve as a "wake-up call" and a warning to consumers that smart devices designed to make our lives more convenient are also making us unsafe, security analysts warn.

We're at the frontier of an era in which everyday objects — baby monitors, home appliances and even medical devices — come with built-in web connections. But regulation and security measures aren't keeping pace with this phenomenon, dubbed "the internet of things."

"Back in the 1970s, for much of the 1980s, and even into the 1990s, it was hard to foresee just how integrated this far-flung global infrastructure would become with every aspect of our lives and thus have deep security implications," Gabriella Coleman, the Wolfe chair in scientific and technological literacy at McGill University, said.

"Given the magnitude of this attack, let's hope it can serve as a wake-up call, forcing government officials to more aggressively regulate the production of these devices so that companies are forced to make security a priority."

Otherwise, experts say we can expect to see a lot more cyberattacks that jeopardize individuals, businesses — or as we saw  last week — the very fabric of the internet.

Your stuff is the weakest link

While Friday's cyberattacks ultimately targeted big companies like Twitter and Paypal, hackers went through everyday people's personal gadgets to do it.

Internet infrastructure company Dyn, whose customers include some of the world's most widely visited websites, got hit by distributed denial-of-service, or DDoS, attack. That's when hackers overwhelm servers with junk data traffic from malware-infected devices.

Once upon a time, this largely involved infecting and recruiting "zombie" home PCs or printers. But nowadays, our smart devices are the weakest link in the cybersecurity network.

"It's harder to break into workstations and windows devices, so they go onto this new set of devices that are still very much at the early stage of the technology curve," Eldon Sprickerhoff, founder and chief security strategist at the Cambridge, Ont.-based cybersecurity company eSentire, told CBC News.

Hand setting a thermostat with a blue screen to 72 F.
These days, it's not hard to find home devices and appliances such as thermostats, above, smoke detectors and refrigerators that can be controlled from afar by way of the internet. (Eric Risberg/The Associated Press)

These devices are part of a rapidly growing market, with hundreds of small, overseas companies churning out millions of cheap products made from outsourced components and code, and they can be infected without ever disrupting their core function.

"You don't know if your device has been compromised. Everything in your house could already be taken over — there's no way for you to know that," tech journalist and author Glenn Fleishman said.

"Until companies issue software updates or even tools to check if your device hasn't been modified, you may be stuck already with something that's always ready to attack."

Sometimes, it's personal

Anyone could find themselves in the crosshairs.

"While the latest attack targeted popular social media websites, in the future such an attack can be used to render more vital sites, like hospital websites, inaccessible," Coleman said.

Or it could be downright personal.  

Journalist Brian Krebs' website was the target of huge DDoS attack in September.

Someone can take over your webcam or baby monitor and spy on you, or hack into your security system or medical devices such as insulin pumps and pacemakers.

It doesn't take a genius to exploit weak devices, Fleishman says. Teenagers can do it.

"This is like everybody has a nuclear bomb," he said. "It has the potential that every day, we could have an attack that's the worst attack we ever had on the internet, and that could happen successively for some time."

'A war in heaven'

Chinese firm Hangzhou Xiongmai Technology, whose now-recalled webcams were targeted in Friday's attacks, has pointed the finger at users who don't change their default passwords.

Fleishman says that's a cop-out.

"There's a habit of user-blaming, which is a thing that the technology industry does when it doesn't want to own a problem," he said.

"Why are users responsible for changing passwords when every device shipping from a given company, the username is 'admin' and the password is 'admin'?"

What's more, some of these devices have hardcoded passwords that even the most tech-savvy user can't reset.

In an article for Macworld, Fleishman called it "a war in heaven," where hackers and big companies are the gods battling it out and consumers are the mortals caught in the crossfire.

"The war is between hackers, who are all individuals and syndicates and so forth, and manufacturers, who have no motivation to improve this, and users are just dying on the battlefield," he said.

ABOUT THE AUTHOR

Sheena Goodyear

Journalist

Sheena Goodyear is a web journalist with CBC Radio's As It Happens in Toronto. She is equally comfortable tackling complex and emotionally difficult stories that hold truth to power, or spinning quirky yarns about the weird and wonderful things people get up to all over the world. She has a particular passion for highlighting stories from LGBTQ communities. Originally from Newfoundland and Labrador, her work has appeared on CBC News, Sun Media, the Globe & Mail, the Toronto Star, VICE News and more. You can reach her at [email protected]

With files from Ramona Pringle and Associated Press