Most everybody is familiar with the term Trojan Horse, drawn from Greek mythology. It’s a tale from the Trojan War where, after a fruitless 10-year attempt to capture the city of Troy, the Greeks constructed a huge wooden horse, left it outside the city walls, and then sailed away, seemingly accepting defeat. The Trojans were elated, celebrated, and pulled the horse into Troy, as a victory trophy. Unbeknownst to them, the massive horse was filled with Greek soldiers.
During the night, the Greek force crept out of the horse, and opened the gates for the rest of the Greek army, which had sailed back under cover of night. The Greek army entered and destroyed the city of Troy, decisively ending the war.
Flash forward to 2016.
In an insightful article (read it here) published this past February by Popular Science, Kelsey D. Atherton wrote, “About two and a half centuries after America declared independence, over 150 years since the end of the Civil War, and 66 years since the Soviet Union became the second country in the world to possess nuclear weapons, the greatest threat the intelligence community sees facing the United States is Wi-Fi-enabled toasters. No really.”
Atherton’s article has proven to be prescient. Atherton’s toaster is just one of hundreds of millions of like devices – soon to be billions – that are permeating our lives on myriad levels. And last week, routers, DVR’s and IP cameras – basically millions of unprotected internet-enabled devices, joined forces at the direction of a bunch of amateur hackers – and launched a crippling DDoS attack against Dyn Inc. The IoTrojan Horse attack created overwhelming traffic to a number of high-level domains, such as Twitter, Amazon, Netflix and PayPal, effectively shutting them down. (read about it here).
I can almost hear the folks in Hollywood noodling over this one. Let’s see. We’ve made Bad Teacher, Bad Grampa…hmm…how about Bad Toy Story? Or maybe Bad IoToy Story?
Only this movie wouldn’t be engaging, or uplifting or funny. It would be a tragedy – a tragedy that is on the verge of happening in real life.
How can this be? There are many reasons but one that is most apparent is the lack of standards within the IoT sector.
Standards – a necessary evil then. A mission-critical requirement now.
Standards bodies are typically packed with representatives from governments and enterprises, and their decisions are mostly based on politics and their respective agency or company interests. The process at arriving at standards has always been time-consuming and laborious, but in essence, it worked. Mostly because time was never a consideration in reaching global consensus on things like EDI standards. When they happened, they happened.
Not today. Today, time is of the essence and procrastination is only going to make matters worse. With no standards to adhere to, companies worldwide are rapidly rushing IoT products to market for fear of losing out on the predicted IoT gold rush. Just check out the list of manufacturers (here) whose devices were conscripted to attack Brian Krebs’s KrebsOnSecurity website. It’s absolutely ridiculous that this has been allowed to occur.
Things have to change, and fast.
Cyberwar Measures Act – a radical approach to a dangerous problem
In 1970, Canada’s Prime Minister, Pierre Elliot Trudeau, invoked the War Measures Act in response to the FLQ’s (a terrorist group bent on independence for the Province of Quebec) kidnapping and murder of Pierre Laporte, a senior elected official. The Act gave the government sweeping powers, allowing it to arrest and detain anyone they believed was affiliated with the FLQ. While controversial at the time, the desired effect was realized. A second kidnapped victim, a British diplomat was released, and the Act effectively squashed the FLQ’s efforts to break up the country.
The US and indeed the entire world is in a similar state of crisis with far more dire consequences, and I feel strongly that it’s time to dispense with the slow, plodding standards-based way we deal with change in our connected world in favour of dramatic actions which will rapidly protect us from future attacks.
Furthermore, while we are wont to blame North Korea for the Sony hack, Russia for email hacks, or other nations for the attacks on our connected world, the sad reality is that the doors are so wide open that clever kids in their parent’s basements in any part of the world could be launching IoT-driven cyberattacks.
So, what should we do?
Invoke a Cyberwar Measures Act approach.
First, governments everywhere should steadfastly refuse to allow importation of any connected products that have hard-coded passwords (firmware) that cannot be changed, and those which do not enforce strong password setting at time of installation.
Second, every IP address that was used in the Dyn attack should be disabled, and any of the things, which were connected at those IP addresses, which cannot be secured as described above, should be denied reconnection.
Third, the remaining IP addresses with known to be insecure ‘things’ connected (devices similar to those used in the recent DDoS attacks), should also be disabled.
Fourth, let’s immediately ban the importation of the devices that Brian Krebs revealed were used in that particular IoT DDoS attack, putting the onus on the manufacturers to prove their devices are sufficiently secure before reinstating them as IoT safe manufacturers.
The IoTrojan horse has arrived, but unlike the citizens of the city of Troy, we can still win this battle if we act quickly.
Governments of the world, are you listening? It’s time to step up and do what you are meant to do…serve and protect the citizens of your respective nations.
Also Read: Top 5 Things to Know About Recent IoT Attacks