‘Smart’ devices may be the next invading army
The explosive growth of ‘the internet of things’ puts more potential weapons in hackers’ reach
WASHINGTON — Dr. Herbert Lin, one of the nation’s preeminent thinkers on cybersecurity policy, shuns the internet-connected devices that fill some American homes.
He’ll have nothing to do with “smart” refrigerators, hands-free home speakers he can call by name, intelligent thermostats and the like.
“People say to me, ‘How can you have a doctorate in physics from MIT and not trust in technology?’ And I look at them and say, ‘How can I have a doctorate in physics from MIT and trust technology?’ ” Lin said.
Part of what he distrusts is the “internet of things,” and the ease with which hackers can penetrate “smart” devices with digital worms and shanghai them into massive robotic networks to launch crippling digital attacks or generate ever greater quantities of spam.
It is a mistrust based on mathematics. Internet-enabled devices are exploding in number. Gartner, a research giant in technology, says the devices will climb from 6.4 billion at the end of last year to 25 billion by 2020. Such growth sharply augments the power of hidden robotic networks, or botnets.
Now, an unseen battle unfolds. Weaponized digital worms are entering the scene and infecting masses of devices that obediently await instructions from a remote master to spring to action, possibly a new botnet attack.
‘Zombie armies’
The threat from botnets is so serious that then-FBI Director James Comey brought them up at a recent Senate hearing, saying the “zombie armies” created from internet devices can do tremendous harm.
“Last month, the FBI — working with our partners, with the Spanish national police — took down a botnet called the Kelihos botnet and locked up the Russian hacker behind that botnet,” Comey said. “He’s now in jail in Spain, and the good people’s computers who had been lashed to that zombie army have now been freed from it.”
Further botnet attacks are inevitable. “The next one could be just seconds or minutes from happening again,” said J. Kevin Reid, a former FBI agent who leads the national security portfolio at KeyLogic, a Morgantown, W.Va., firm that offers consulting services to the federal intelligence community.
Many consumers don’t realize that internet-enabled devices are unregulated and insecure — simpleton digital recruits in potential malicious armies.
A botnet has already made headlines once. Last Oct. 21, a botnet slowed internet activity to a crawl along the Atlantic seaboard. A hacker using a malicious worm dubbed Mirai — Japanese for “the future” — took over thousands of internet-connected security cameras and other seemingly innocuous devices and ordered them to fire relentless digital “pings” at a New Hampshire company, Dyn, that oversees part of the backbone of the internet. Dyn was overwhelmed, and popular sites such as Twitter and The New York Times were temporarily inaccessible.
Now a new worm, dubbed Hajime — Japanese for “beginning” — is spreading.
The Moscow-based Kaspersky Lab estimated in late April that the Hajime worm had already penetrated 300,000 devices worldwide and could rally them into a botnet army at a moment’s notice.
A force for good?
Initial forensics reports suggested that the Hajime worm might be the creation of a “white hat” hacker working to thwart future attacks by Mirai botnets. Hajime leaves behind a message that says in part: “Just a white hat, securing some systems.” But even if Hajime is presently a force for good, protecting devices from Mirai infection, how long will that last? Some analysts have doubts.
“While infected with Hajime, the vulnerable devices are protected from known Mirai attacks,” a principal security researcher for Kaspersky Lab, Igor Soumenkov, said in an email. He added, however, that “Hajime’s spreading methods are malicious in nature” and the worm “may go rogue at any time.”
That aspect of the internet of things, or IoT, gives jitters to Lin, the MIT-educated cybersecurity scholar at Stanford University’s Center for International Security and Cooperation who largely shuns internet-enabled devices.
“I don’t want something working on my system when I don’t know what it is,” Lin said, adding that installing even protective worms is not cool.
“There is an informal consensus that this is not an ethical thing to do,” Lin added. “You only have their word for it that they are going to do good stuff. Who knows what their definition of ‘white hat’ stuff is? And if you did, how do you know they are doing it?”
Reid, the KeyLogic expert, said the Hajime worm was “a little more robust” than Mirai.
“It’s written in some higher order language. It’s very powerful,” he said.
Intrusion techniques
The Hajime worm is programmed to avoid networks of certain U.S. companies and government entities, Soumenkov said, noting that they include those of General Electric, Hewlett-Packard, the U.S. Postal Service and the Department of Defense.
Such worms are designed to infect any device or machine with a connection to the internet, harnessing them as “zombie” soldiers in a botnet army. Infected devices can include not only appliances in the home, like coffeemakers and baby monitors, but also vending machines, soap dispensers, jet engines, light bulbs and industrial microcontrollers.
Even dolls for children can be forced into rogue botnets, Reid said.
“People would be like, ‘What? My child’s toy?’ Well, toys are pretty fancy nowadays,” Reid said. “They are going after camcorders and DVD players and other things with this particular intrusion technique.”
In practical terms, that means hackers who control botnets can extort businesses, threatening to overwhelm targets with traffic unless they pay. They can also amplify the power of those sending spam.
Already, up to 90 percent of the email traffic on the internet is spam, although internet service providers do a pretty good job of clearing it out with spam filters, Lin said, letting only a fraction through.
“Let’s say you increase that fraction by a factor of 10, or 100, which is what these IoT botnets threaten to do,” Lin said. “I assure you at that point you will get a lot more spam in your email inbox. Let’s say you get 100 times as much spam as you get now. It might make your email account unusable.”