The smart home has taken down the internet. Like many people on the east coast yesterday, much of the internet was inaccessible to me for a good part of the morning and some of the afternoon. It turns out the culprit was the smart home devices that many of us have (including me) in our homes. We can now be affected by Distributed Denial of Service (DDoS) attacks by the products created to make life more convenient and safer. Thousands or millions of us may have inadvertently been responsible for taking down a chunk of the internet for many millions of people for numerous hours. This is frightening.
If a single person (or possibly a small group of people) can write scripts that take over our smart homes in the background and launch state-level attacks against major internet backbone providers (like Dyn and their managed DNS service), what can an actual state-sponsored attack do? We all now, essentially, have the ability to bring portions of the internet to its knees using freely distributed software more quickly and easily than we used to download shareware from Tucows just ten years ago.
We have reached a point (many years ago, even) where “security through obscurity” is no longer a valid method of protecting our networks, devices, and data. It is not okay for hardware and software developers to ship products with default usernames and passwords that are easily guessable or trivially cracked. A sticker showing the randomly generated and secure usernames and passwords for each device could have been enough to stop this kind of attack. It is no longer okay to sacrifice security to avoid a few technical support calls or emails. It is no longer okay to not be able to handle briefly looking at a username and password sticker if you need to login to an administrative panel (most people don’t, anyway). My Verizon FiOS Wi-Fi access point shipped with a surprisingly secure WPA2 password. Our smart home products can do it if our Internet Service Providers can do it. It is no longer okay to not take cybersecurity seriously.
The fact that this attack may not be state-sponsored or launched with a state-created tool is the most terrifying aspect of these attacks. It is one thing to be terrified of a major government’s nuclear stockpile, but bringing news outlets, banking systems, government services, and more to their knees through the efforts of possibly a lone coder is a different animal. Governments must fear retaliation. A 400 pound hacker in a basement may never be identified.
Without change and care taken by the companies we trust to come into and control our homes, the best that we can do is hope that this was a state-sponsored attack and this was their one shot with the best they’ve got. If this really was done by a lone coder, our newly exposed weakness could open the door to an even more damaging attack from an unfriendly foreign government. As more public utilities get “smart” and connected, we are forced to trust that they are taking cybersecurity seriously.
Being denied access to parts of the internet is annoying, but having our homes, power grids, banks, or water supplies taken over by an unidentified, untraceable, actor is a matter of national security that can not be ignored.