Ready or not, the Internet of Things is about to explode. But whether we’re equipped to handle security for it is another question.
Gartner, an information technology research firm, estimates that there are 6.4 billion connected “things” in use this year and predicts the smart home ecosystem will only continue to grow, with as many as 20.8 billion devices online by 2020.
That means your car, speakers, router, refrigerator, medical devices and even your coffee maker will all be online — if they aren’t already — in addition to whatever new technological marvels come along in the next few years.
“We definitely have a lot of work to do. Any device that has an IP address is vulnerable to tampering,” Robert Siciliano, CEO of IDTheftSecurity.com told NBC News.
The crippling DDoS attack that last week shut down many popular websites, including Twitter, Amazon and Spotify, turned harmless web-connected home devices, such as smart cameras, into cyber soldiers in a “botnet” — a network of “bots.”
That botnet then flooded its target, internet service management company Dyn, sending it artificial traffic that made it impossible to access its customers’ websites.
Casey Ellis, CEO and founder of Bugcrowd, a “bug bounty” platform that connects hackers with companies looking to test their security told NBC News the existing security framework for many connected devices is “self-evidently terrible.”
“By far the most spectacular vulnerabilities that come through the platform, without fail, have to do with an IoT [Internet of Things] device,” he said.
That means, for example, picking a bluetooth low-energy lock from a quarter-mile away or hacking an electronic wheelchair, which were some of the demonstrations at the Defcon hacking conference in August. Or look to the the high profile VTech toy hack last year that had the educational toy company and parents on edge.
“Part of what happens when people are developing new products, they have to rush it out to market to make sure they land the first punch,” Ellis said. “And security is something that will slow them down.”
The attack on Dyn was a wake-up call for consumers and manufacturers. However, Jeremiah Grossman, chief of security strategy at cybersecurity startup SentinelOne, sa he doesn’t expect manufacturers to make any radical changes when it comes to security.
“It’s an economic disincentive,” Grossman told NBC News. “Consumers will buy the least expensive product to meet their needs, so when you add security, it’s an additional cost, making them less competitive.”
One company with products implicated in Friday’s attack is already taking ownership of the problem.
Chinese electronics firm Hangzhou XiongMai, which makes components for surveillance cameras, issued a recall for some of its devices sold in the United States after security researchers determined they may have been compromised and used in the attack.
A statement posted online Monday by the company in Chinese said customers who were exploited were likely using the default user name and password for their cameras — something manufacturers and security experts strongly advise not to do.
“What the bad guys are doing here is they are flexing their muscles and while it was damaging what happened, it’s a sign of bigger and more damaging things to come,” Grossman said. “We’re going to see these attacks to be bigger and more frequent.”
Kyle York, chief strategy officer at Dyn, the company that was hit with with the DDoS attack last week, said they’re used to fending off “dozens of attacks in a week or month period” but that this one “really challenged us.”
“The fact that this one was so complicated, so sophisticated, so nuanced in its approach was why it was a real challenge for us to mitigate against it,” he said.
Friday’s attack was an inconvenience for everyone — Dyn, their customers and people looking to access their favorite sites. However, York said he doesn’t think it’s a reason for anyone with connected home devices to be worried.
“I dont think it should change your day to day behavior,” he said. “Outside of gaining more of an understanding to how the internet actually works and what it means to plug in that device and turn it on.”