Internet of Things puts data at risk

Editorials featured in the Forum section are solely the opinions of their individual authors.

Are you aware that your beloved computer or laptop can be used as a weapon to abet a cyber-crime? Without your knowledge, your system can become a part of a botnet!

Hang in there for a moment — a botnet?

While I am sure that by now the tech geeks might have understood the reference I am trying to make, for others I will just let the cat out of the bag. It has already been four sentences! A lot of suspense here.

Well, a botnet is a network of infected computers that is controlled as a group by someone who does not have authorized access. This happens when computers on the internet are infected with some malicious software which compromises the security of the systems, thereby letting the attacker take the advantage of the vulnerability.

The severity of this kind of situation (where you are not in control of your computer) cannot be understated. It not only causes massive damage to the internet but also poses a security threat to the systems that are connected to the internet. For example, your personal information can be leaked.

With the advent of Internet of Things (IoT), which is a concept of internet where everyday objects have network connectivity for their communication, we have started relying more on the internet. Our dependency has increased to such an extent that today we are not just limited to using the internet on computers or cell phones; we use the internet in CCTV cameras, DVR players, coffeemakers, and even toasters! The point here is that as the digital devices that use internet capabilities keep increasing, the user base keeps growing. Every user adds a little more information to the pool of information that is already out in the open waiting for a hacker to break-in.

The power of IoT is vested in the ‘things’ that are the devices we keep adding to the internet space. But, can IoT always be this powerful? I guess the answer is no!

On Oct. 21, major parts of the U.S. suffered a massive internet outage because of a severe distributed denial of service attack (DDoS). DDoS exploits the capabilities of the botnets to flood a server with hundreds and thousands of page view requests impairing the server’s ability to function properly and hence causing the server to fail and collapse.

Experts claim that this attack was one of the largest cyber-attacks in history. What makes it remarkable is its source, the Mirai botnet, a new weapon which is not based on computers, but on the devices that make up the (IoT).
The Mirai botnet was comprised of the devices present in the IoT. If each device in the IoT was a data point, the Mirai Botnet had 100,000 data points! Imagine these data points coordinating and operating in cohesion to carry out an attack on a server, the strength of the attack and its impact would be significantly large.

With an extraordinary attack strength of 1.2 TBps, the Mirai botnets brought down the Internet single-handedly by attacking the servers of an Internet Performance Management company called Dyn. This company is the Domain Name System (DNS) provider for a large number of websites in the U.S. and acts as a switchboard for the internet. DNS translates a website’s address into a numerical address that allows systems to communicate with each other. DNS makes the internet operable.

Popular sites like Netflix, Spotify, Twitter, and the Financial Times use the services from Dyn and they all crashed because their DNS provider was under attack. When users sent requests to the access those sites (Netflix, Twitter, etc.) no response was generated. There was a huge disruption in their services. Another software company called Dynatrace also suffered this attack and out of 150 websites that it monitors, 77 were affected. According to CNN, this disruption has caused the companies a loss of up to $110 million in revenue and sales.

According to me, Mirai Botnet can be one of the worst nightmares in the world of internet and information security. Mirai Botnet harnesses the power of a network that has almost 5.5 million new things getting connected to it every day.

Can you imagine how powerful this botnet is?

Before you start to think hard, let me provide you one more item to your thought palette.

On Nov. 3, Mirai Botnet launched an attack on a small African country, Liberia. Seems like the Mirai Botnet attackers are onto something big! According to a security researcher, targeting a small nation might be the best place to conduct tests for cyber-weapons and check their effectiveness for larger attacks.

The real motives behind any of these attacks are not known. The Mirai attackers have launched their two main attacks very wisely. The first on Dyn had so many data points that it is a tedious task to track and investigate each data point, the second on Liberia had to few data points to arrive at any concrete conclusion. There is no information available on the internet about the reason behind these attacks except for the fact that the investigation is ongoing.

While no personal data has yet been compromised by any of these attacks in the U.S. or Liberia, the concerns of information privacy and security have re-surfaced. There is no assurance that our information on the web is safe and the thing that concerns me is that we are helpless.

It is scary how every day we become a little more dependent on IoT, and a little more prone to the risk of losing our very personal data. It is a case where there is no perfect in-between. You cannot be more dependent on the internet without being less likely to be cyber-attacked.

According to David Fidler, adjunct senior fellow for cyber security at the Council on Foreign Relations, the insecurity of IoT devices is a grave issue and there are no effective measures to deal with it.

One might say that adding security features to the devices in IoT might work. Well, agreed! But to what extent? The world will have 50 billion connected devices by 2020 and with the next 1 million devices coming online, formulating a security measure for each device would be a tedious task. A decent approach would be to have the right knowledge about handling these devices, but we cannot expect everyone to be proactive or efficient in learning and handling.

Technology has made almost everything simpler for the humanity, but I believe that IoT is a case where simplicity has brought in complexity that is difficult to simplify.

Until there are strict strategies to combat IoT security issues, we are left with two options. Either to not use devices that belong to IoT (Silly? Right!) or to take a leap of faith and take security measures at our end (leaving the rest to fate).
With the frequent cyber-attacks by Mirai botnet, I just hope that we do not come across a new Mirai attack in next few weeks. Mirai has revealed the vulnerabilities in the IoT framework and I feel that these should be fixed or attended to before Mirai hits us again, making us weaker than we already are.