Lessons from Mirai: Hacking Pays
You can have an Internet of Things deployment that is good, fast, or cheap. Which two do you pick?
Most developers of consumer-facing connected devices have apparently answered that project-management question by picking the last two items in the list. Not only are many of the products rushed to market, they are designed for frictionless deployment.
That mistake is causing blowback for the entire IoT industry.
Sure, consumers love convenience. But so do hackers. And for cybercriminals, the Internet of Things is good for business, and, for many of them, business is booming.
An average hacker earns about $40.75 per hour—more than an average computer programmer or software engineer, according to a survey from the Ponemon Institute. The typical hacker, however, earns relatively little each year—just $28,744 and only works 705 hours each year, according to the Ponemon survey, titled “Flipping the Economics of Attacks.” A big part of the reason for that low figure is that a typical hacker has trouble finding valuable targets. Talented hackers can easily make six-figure salaries, and a few even get rich.
Complicating matters is that IoT vendors sometimes have a financial disincentive to make products secure. “Security is almost always the opposite of convenience. And an average person would probably not buy a device that requires them to do a bunch of technical stuff to get it to work securely,” says David Miller, chief security officer of Covisint. “The folks that make many connected devices are doing their best to make them auto-sensing and encryption-less. They wanted to make it so you can set up a device by plugging it in.”
Why Hacking Is No Longer Just for Nerds
More worrisome is the fact that the economics of hacking is changing, however, in ways that could make the field more attractive to cybercriminals.
“Hacking used to be something that only geeks could do,” Miller says. “The hacker community was small and, in general, not nefarious. The people who broke into systems were called ‘crackers,’ and, in those days, you had to be an unbelievable geek and put hundreds of hours into a single exploit.”
Now, hackers have access to a proliferation of tools and services that makes it relatively simple to carry out many exploits.
The Mirai code that took down much of the Internet was designed to be a service, says Thomas Pore, director of IT & services at Plixer. “This code was purely created for financial reasons. And the release of the source code to the public opens up the possibility for ransom DDOS.”
“The IoT is also creating a larger attack space,” Miller says. “Here’s an analogy: If you want to secure a building with a front door and a back door, your job is simple. But If you have a building with 100 doors, or 200, it is an order of magnitude more difficult.”
Even with the backlash against the Internet of Things following the Mirai attack, the number of connected devices will likely continue to increase steadily. “I don’t think the concept of a household with 200 connected devices is really that far away,” says Thomas Pore of Plixer.
Miller agrees, noting that there are a small number of people living in the technology bubble that already may have close to 100 connected devices in their household: connected lights, smartphones, garage door openers, video cameras, DVRs, and so forth. “10 years ago, I had one computer. And I just had to worry that the data on that one device was secure,” he says. Now, the average household has 7.8 devices, according to the NPD Group’s Connected Intelligence Connected Home Entertainment Report.
The proliferation of devices enables cybercriminals to find the weakest security of devices on a network, and use that to get more valuable information. “If I hacked into your light bulb, I could get your Wi-Fi password. I could then get to your router, so I could change your connection protocols, and get to one of your computers. From there, I might be able to find a PDF with your social security number, which I could use for identity theft,” Miller says.
Lessons from the Automotive Industry
In many ways, the Internet of Things industry is like the automotive industry a century ago: young and difficult to navigate. Consider how the Orson Welles film, “The Magnificent Ambersons,” captured the climate of this era with its quotations summarizing how the “horseless carriage” was either a “useless nuisance” with or destined to change the world.
We are in a similar phase now with the Internet of Things—early in the adoption curve. To be competitive, vendors must saw cost-conscious consumers, similar to how Henry Ford engineered the Model T to be affordable. In the early days of the automotive industry, safety was an afterthought. Although seat belts were invented in the middle of the nineteenth century, they didn't become common in cars until the 1950s and weren't mandated in the U.S. until 1968.
In the past century, the automotive industry has gradually sharpened its focus on safety. A similar type of transition has hopefully begun with IoT security, and vendors will conclude that unsecured products are bad for business. It is heartening that the Chinese company XiongMai Technologies, which had many of its devices exploited in the October 21 Dyn attack, is vowing to make its products more secure. The company is also recalling millions of its cameras and other devices.
Meanwhile, it’s worth remembering that much of the talk about IoT security sounds like a parade of horribles. Most cybercriminals aren’t working to cause some kind of apocalypse by hacking the Internet of Things. Most of them are just looking to get paid—whether it be financial compensation or prestige in their community. It follows that winning the IoT security battle takes more than technology and culture—it demands understanding the economics of hacking.