Where were you when a massive distributed denial-of-service attack interrupted internet connectivity for large swaths of the East Coast on Friday morning? With any luck, you were still asleep at 7 a.m. when a massive volume of online traffic first hit Dyn, a New Hampshire–based company that helps translate URLs that you type into your browser (like Slate.com) into IP addresses (like 188.8.131.52) that will actually direct you to the servers you want to access.
But even if you slept straight through the first part of the attack, you may well have been involved, especially if you purchase smart home devices and don’t change their default passwords. According to a post from Dyn, tens of millions of IP addresses were involved in the attack. That means tens of millions of compromised machines were bombarding Dyn, many of them infected by Mirai, a malware program that uses password-guessing software to compromise common network-connected devices like closed-circuit cameras and DVRs. Those are the type of “things” that comprise the so-called Internet of Things, and people have been worried for a long time about the security implications of networking more and more physical devices. In the words of one New York Times headline, this was the harbinger of a “new era of internet attacks.”
But it also looked strikingly familiar. After all, we’ve seen massive distributed denial-of-service attacks before. We’ve even seen them directed at the Domain Name System before. For instance, less than a year ago, in December 2015, a similar attack flooded several of the internet’s DNS root servers. That smaller attack impacted fewer users than Friday’s, and it didn’t, so far as we know, involve the Internet of Things at all, just standard run-of-the-mill compromised computers. What we saw on Friday was definitely bigger—but aside from that, was it actually any scarier?
There is an old debate about computer crimes: Are they actually something new, or are they basically just the same old traditional crimes (like credit card fraud or extortion) committed in larger volumes and from a greater geographic distance? But one of the few types of online crime that doesn’t have a direct pre-internet counterpart is, in fact, the denial-of-service attack.
So when it comes to the security threats posed by the Internet of Things it’s fair to ask: Are they actually something new, or are they basically just the same old computer crimes committed at even greater scale? Friday’s attack seems to fall pretty clearly into the latter category, and that will likely continue to be true for as long as the connected devices are fairly low-risk in and of themselves.
That’s not to downplay the seriousness of last week’s incident, which caused major service interruptions for many internet users and raised crucial questions about how much attention we’re paying to the security of seemingly frivolous connected devices. It’s just to point out that if Friday marked the dawn of a new era of internet attacks then, so far at least, the new era looks an awful lot like the old one. The “thing-ness” of the compromised devices—the fact that they were cameras, not just laptops—did not make any real difference in this case except in terms of volume. And yes, that volume is concerning. More devices online means more targets for attackers to compromise and round up into massive bots that can be used to bombard targets like Dyn with packets. In that sense, a bigger internet is an inherently less secure one. But there is good news here: The threats posed by the IoT are not—or at least not yet—so much more dramatic or life-threatening than the ones we’ve been dealing with for years.
Some of the threats of the Internet of Things are obvious: If your car is networked and can be compromised remotely, that poses a clear risk to safety. But other threats have been harder to articulate: If your DVR or your freezer or your toothbrush can be hacked, well, then, so what? The attacks on Dyn suggest that we need to care about the security of the Internet of Things, even if you don’t especially care about the “thing” in question. Compromising one device can be a stepping stone for launching attacks on other, more valuable targets. This is an important lesson of online security and often an incredibly difficult one to impress upon users: Even the accounts and computers and machines that you don’t care about being compromised can often be used to attack something that you do care about.
Because we are sanguine about the dangers of a hacked toothbrush, we are less likely to change those default passwords, which increases the chance that those low-risk devices will be compromised by a program like Mirai.
Internet-connected cars or stoves are a different story, of course. I’m not too scared about someone hacking into my DVR and judging me for my devotion to old episodes of America’s Next Top Model. But the possibility of someone sending my car off a cliff, or setting my house on fire, or leaving my gas burners on overnight? Those scenarios scare me. Other devices may fall somewhere in the middle of the spectrum from trivial to life-threatening risks—a connected refrigerator, for instance, could be manipulated to spoil your food, a connected lightbulb could allow someone to turn on and off your lights. Certainly, these could be hugely irritating. Probably they wouldn’t actually kill you.
But they would definitely be something new—threats we have not previously faced from computers. Friday’s attack was only a very small step in that direction. It was a threat that we have seen many times before, a threat that was amplified and bolstered by the ubiquity of internet-connected devices, but not actually radically different in its nature of the kind of harm it inflicted from previous online attacks.
That doesn’t mean we should dismiss the security concerns about the internet of small or trivial things. The things you don’t care about securing online can be used to attack the things you do care about, like the internet’s infrastructure. But it still seems a bit too soon to be ushering in the era of apocalyptic Internet of Things security breaches.