The dumb Internet of Things

The Internet of Things (IoT) is the trending buzz word in the field of computing today. Going by the dictionary, IoT is a collective name given to pieces of hardware, varying in size and power, from different corners of the world to the one large entity: The Internet. IoT is all about connecting devices to the Internet to make them communicate to each other, thereby making them efficient, productive and apparently, "smart".

We have all been dealing with "smart" devices in some form or the other. Consider the classical example of a slate. Earlier, it used to be a slab of polished stone on which one could make marking using a chalk. It slowly transitioned into the magic-slate, which could magically rub off the entire content of a panel with a swipe of a stick under it. Smart, wasn't it? It saved a lot of chalk, polishing, labour, and parents did not have to bother about their child catching dust-allergy. The intention of innovation was clear - to make the world a better place. But, are we there just yet?

It is only a week back a massive DDoS (Distributed Denial of Service) attack took place which crippled many Internet giants like LinkedIn, Twitter, Github and Spotify. Let us try to understand what this DDoS with an analogy.
Imagine that you are at home and you are waiting for a really important phone call from your best friend. All of a sudden, tens of thousands of people call your phone number at the same time trying to tell you something. The odds of your friend's important information getting through to you go down drastically because your phone line can only handle one call at a time. DDoS attacks are kind of like that but only with a computer. While the computer/server has more resources that it can use simultaneously, eventually, it too can get overwhelmed resulting in a complete crash or ridiculous load times. (Thank you, Reddit!)

Following the attack, an immediate investigation was called for and it was reported that a huge army of hijacked Internet-connected devices was responsible for this attack. The attack reportedly peaked at around 1Tbps, large enough to bring down even the most powerful of servers. Now, this was not one or two people attacking the servers, but thousands of them, each with a bandwidth of its own from around the world.

Talking more about the attack, it does not show how skilled the people behind the attack is, but only shows how dumb the devices connected to the Internet are. The field of IoT is now being driven by business rather than technology and run for more devices on the cloud have left us insecure. Your innocent looking hand-held devices, Smart TV's, Cameras, Coffee Machines, etc can turn into Internet-killers of a large botnet group in no less than a couple of seconds and you will not even know about it until the cops come knocking at your doorsteps. Such is the amount of negative impact these tiny little machines have created today.

Why did this happen? Can another such attack be prevented? The answer depends on how the society reacts to the crisis and tries to understand the importance of cyber-security. Companies are releasing products with outdated software and ancient version of software with various vulnerabilities in them which allows a remote attacker to gain control over the device and use it as he/she needs. One of the vulnerabilities that the attackers try to exploit exists in the SSH service of devices that lets people connect remotely to it and execute commands. Shockingly, CVE-2004-1653 - a 12-year-old vulnerability in the SSH service was exploited recently to gain illegal control of devices. This clearly shows the disinterest of manufacturers in investing on security checks and audits.

In a world like this, staying safe online is as much important as staying safe in the real-life. Do not be that "yet another dumb" owner of an IoT device. It is often recommended to always keep your devices up-to-date with the latest patches and updates from the manufacturer. It is also a good idea to change the default values in the configuration of all your devices so that attackers can't find you through automation script. Be smart while dealing with your dumb devices. They need you as much as you need them.