Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
How ’bout that Mirai Botnet
Do you remember that thing? It was the panic of the week last fall. Some jerks took large portions of the internet down for a couple hours. Everyone was in a tizzy for a bit. Well, the problem is still there. At least now nobody’s in a flail-your-arms panic over it, so maybe it’s worth discussing solutions.
Since there’s very little reason to remember the panic of the day even a week later, let me remind you how this works. A couple years back “Internet of Things” became the fashionable buzzword, so we all went out and bought WiFi enabled toasters. Now you can start toasting automatically when your alarm clock goes off. The fact that your toast will be ice cold by your seventh snooze is a small price to pay for living in The Future! But when you got your FutureToast, you didn’t bother to change the default password (it’s a hassle and if you did you’d forget the new one and what’s the worst that could happen anyway?) Mr. Nefarious Hacker sees that you’ve got a FutureToast, and he can log into it too. With your toaster and the 13,000 other ones that nobody’s changed the passwords on (and the 3300 GarageNoMores, and 4200 BlindsWithScience, and 132 HubCapConnects) he’s got access to a massive number internet connected devices. Mr. Nefarious Hacker can then use them to form punishing denial of service attacks, making the internet useless to the rest of us.
How do we solve this problem? It seems resistant to market forces. From FutureToast Inc.’s perspective adding security to their toasters makes them cost more and makes them less user friendly. That translates to less toaster sales. The Customer doesn’t care; the fact that his toaster is a tool for world domination doesn’t stop it from providing toast on demand.
If you ask the computer security industry, they tend to tell you “Government Regulation.” Every FutureToast variant has to have a password change on first boot up, mandated by law. This solves the problem in the future, but there’s still a heck of a lot of unsecured devices in existence today. The government is also a good way to take all the vitality out of an industry. Maybe there are better solutions.
You could educate the public. As a rule that never works. Take me as an example. I know this is a thing, and I think it’s a big enough problem to post about it on Ricochet. Now ask me what my password is for my Raspberry Pi. It’s not hard to guess.
You could hack back. If you go into my FutureToast and change the passwords then Mr. Nefarious Hacker can’t use it. But then I can’t use it anymore, either. That approach amounts to the destruction of property. This is also not a good solution.
You could, and I can’t overstate the general applicability of this solution, actively wait for your problem to go away. We haven’t seen Mirai in the news much at all even though nobody’s fixed the problem. Maybe the world wakes up and realizes their fridge really shouldn’t have anything to say to their toilet and they stop buying IoT devices. Maybe we figure out a better way to catch the people behind these attacks and launching them becomes a much riskier proposition. Maybe Russia gets into a war with China and the world’s supply of hackers gets busy fighting one another. Maybe none of those happen and we’re still stuck with the problem.
What do you think, Ricochet? Got any brilliant ideas?
Published in Technology
I’m giving this a like for BlindsWithScience. Also, I hate you.
Blinds with Science is my Indian name.
I say let them kill the internet so we can go back to being decent human beings. Also, if you buy a wi-fi toaster, I have no sympathy for you.
In my case at least the internet has nothing to do with it.
Mine is Dances With Difficulty.
Although it offends my libertarian-ish sensibilities, I vote for hacking back. When a user’s FutureToast stops working, they’ll contact the company’s support desk / send it back under warranty / post negative reviews on Amazon / toss it and vow never to buy anything from the FutureToast company again. All that puts market pressure on the companies to make their IOT products more secure in the future.
If the user actually learns what happened to their FutureToast, maybe next time they’ll take the extra minute to change the blankety-blank password.
In the meanwhile, that’s one less idiotic “smart” device in the botnet.
Or is it? Someone comes up with HomeShield, or AccuArmor, or NetSoldier. All the IoT items go through it. Market it on talk radio; get Best Buy to offer installation for $19.99, plus monthly fees. Cable ads on AMC showing a fashionable family living happily, laughing in their secure home, where the toasters are secure. One or two of the brands becomes the industry standard, inasmuch as everyone recognizes them from the ads. Then the most popular IoT product offers it as a reduced subscription rate – say, $9.99 per year, or .99 a month. Then subscription is considered to be part of the deal when you buy an IoT device, baked into the price. No one buys anything that isn’t AccuArmor or HomeShield compliant.
Does that seem far-fetched?
My toaster keeps texting me pictures of toast burns shaped like celebrity faces.
Nicolas Cage is just… well, toast.
From the Tao, wu wei, action through nonaction. Some of my best work was “accomplished” by this practice.
I solve it by buying a “just a toaster.” I know I’m a Luddite before you comment.
Yup. I already have too many things and people telling me what to do, I should want my refrigerator to do the same?
I don’t want my things to talk to each other; I’ve seen Terminator – it ends badly.
Thats the technical solution, but nobody has any incentive to buy it. Since the products aren’t causing problems for the consumers. So your marketing would have to be hyperbolic. Since the hyperbole would basically be pretty obvious to any one with the least amount of tech savvy. The click baiters would kill it off.
So the best thing to do is start an IETF working group and develop an standard API for home automation. Then when there is an open standard, everybody would adopt it over time. Then because developers can rely on standardized products, they can develop home automation platforms that are device neutral. This is how the internet and networking in general work. There isn’t much of the internet that isn’t the output of a UN committee, either the ITU or IETF.
Verizon and Comcast will build a really basic one into the home routers because why leave money on the table. Then if there is a creative interpretation of liability, a basic “secure my home” option will be enabled by default on the router.
I think this is spot on. Technology usually fixes these sorts of issues.
I am not sure what the answer to mass drone attacks is going to be either, but I bet we come up with one. I think it will be a defensive drone swarm, but who knows.
American Hero Hank Rhody, you’re a mad genius.
This should be on the Main Feed post haste, but ‘less sales’–are you mad?
Doesn’t care? What is he, heartless, not just brainless? FYI Rhody, here’s a quote from a ‘customer’, who shall remain anonymous for reasons soon to become obvious:
You left out the part where people start worshiping these things & they also become conversation pieces. HomeShield, it will turn out, peppers you with fun facts. Not AccuArmor, that gives you vaguely spurious information about the attacks on you it is fending off. But NetSoldier is best for the young–it constantly tells you to man up, & also destroy people with different opinions.
I’m sorry, but where’s the part where the gov’t gets its dirty fingers all over this?
Bah, real men go with the Linux based OpenArmour. Now, that’s a real security, crowdsourced by the best minds in CopyLeft, Man!
The part where we have an economic dilemma whereby no individual actor has an individual incentive for cooperative behavior, and the lack of cooperative behavior has negative externalities.
There isn’t much about Ricochet that isn’t standing on top of a bunch of UN commissions like a US space program that would really rather not talk about purloined Nazi scientists.
Hey… But they were ‘our’ Nazi scientists. Finders keepers!
Amen Isaac and Randy.
You have obviously never had to do tech support.
I had to replace my washer recently – the new one (an LG model) came with WiFi, there’s a smartphone app you can use to load it with your own customized wash cycles! I’m not going to bother.
The fact is: IoT is at the moment a frivolity for most applications. People are still trying to figure out what to do with it, and so they’re loading it into everything, whether it makes sense or not. Sorta like other prior tech fads going all the way back to radium (for heaven’s sake, they were putting it in cosmetics!). Eventually it will work itself into some genuinely useful applications beyond using your phone to dim your lights.
In the mean time, though, we should always remember this: security and convenience are ever at war. The tech-savvy know how the security works and also know how to run the odds on whether it’s even applicable to themselves, while the rest of the population likely doesn’t use security at all unless they have to, or unless it is so easy to use as to cease being an inconvenience.
So the market challenge is to make it easy to use while still being effective. I think we’re a long way off from that.
Maybe this is a dumb question, but after reading about all of the above problems, hacks, and indecipherable tech solutions, there’s still one thing I don’t understand: Why do I want my Toaster to be internet-ready?
So you can monitor the progress of the toasting process from a remote location.
Oh.
Er . . . uh . . .
Huh.
I had no idea this was a thing, and since I’m just like most people, I bet nobody else (outside of IT) does either. I have Spectrum Intelligent Home (was Time Warner), a wireless home security system. So are you telling me I’m adding to potential disasters? And can hackers hack into it and use my toaster when I’m not home?
Yes, but they can’t figure out where you keep the butter.
It goes on the roll, duh.
Neat! But you still have to put the clothes in manually, so even if you wanted to do that, why wouldn’t you just program the cycles at the machine? You wouldn’t even need it to be connected to anything for that.