At the end of September, cybercriminals wielding a massive army of hacked internet-connected cameras and DVRs forced the website of a well-known and respected independent journalist offline. That attack used a fraction of a massive botnet of around 1.5 million easy to hack Internet of Things devices, according to estimates.
For its scale, it was an almost unprecedented distributed denial of service, or DDoS, attack. But few outside of the security community were paying attention. Then, almost a month later, the same Botnet of Things was used to attack an internet infrastructure company, bringing down Twitter, Reddit, Spotify and several other popular websites as collateral damage. That time, everyone was paying attention.
Now, more than two months after the first wave of attacks, the U.S. Congress is starting to freak out too. During a congressional hearing on Wednesday, confused representatives quizzed internet security experts on the looming dangers of the Internet of Things, and what to do to deal with them.
“I don’t want my refrigerator talking to some food police,” Rep. Greg Walden (R-OR) said half-seriously at some point during the two hour hearing where congressman and woman showed they’re very worried, but also very confused about what to do.
“I don’t want my refrigerator talking to some food police.”
An often repeated question was: what’s the role of government regulation?
Bruce Schneier, a renowned computer security expert (and frequent Motherboard contributor), was perhaps the most vocal advocate for some sort of government intervention.
“The market really can’t fix this. The buyer and seller don’t care,” Schneier said. “I argue that the government has to get involved, and that this is a market failure. And what I need are some good regulations.”
Schneier didn’t get too much into details of what government regulations should look like, but compared dealing with Internet of Things insecurity to how governments dealt with pollution. In other words, he said, the ideal scenario would be setting minimum standards and then telling the industry “here’s the result we want, figure out how to do it in the most cost-effective way possible,” rather than regulate process and the technology itself.
“It might be that the internet era of fun and games is over because the internet is now dangerous.”
That will still somehow slow down innovation, Schneier admitted, but that will be necessary because as he explained in a Motherboard column a few weeks ago, the Internet of Things has the potential to cause real-world disasters that affect and hurt people.
“In the world of dangerous things we constrain innovation. You cannot just build a plane and fly it,” Schneier argued. “It might be that the internet era of fun and games is over because the internet is now dangerous.”
Meanwhile, the chief security officer at Level 3 Communications, one of the largest internet infrastructure providers, revealed that there are still between 1.5 and 1.6 million Internet of Things infected by malware that enlists them into a botnet, such as the infamous Mirai, or its predecessor Bashlite. An independent security researcher known as MalwareTech, who’s been tracking Mirai for the last few weeks, confirmed that that number is accurate.
That means that despite all the attention brought by these large scale attacks, and even after the Chinese webcam maker of some of the infected devices ordered a recall, the botnet isn’t getting any smaller. That’s probably the first problem the US and other governments will need to find a way to deal with.