(image by Irina Slutsky)
As the Internet returns to Congress in 2017 in the form of Senate J. Res. 34, its controversial offshoot, the Internet of Things, continues to cause chaos in its own unregulated market. For the past several years, malicious users have ramped up their exploitation of the innumerable security flaws of connected devices, turning the Internet of Things into a vast infected network. However, private programmers have quietly released viral anti-malware over the past several months, shutting down thousands of infected devices and highlighting the policy gap on the Internet of Things.
Whereas Internet regulation is traditionally concerned with smartphones, computers, and the privacy and content of the Internet itself, the Internet of Things (or IoT) is a massive portion of the digital sector that lacks concrete policy. The IoT refers to the countless connected devices other than phones and computers – CCTV, WiFi kitchen appliances, routers, smart cars, etc. And in virtually every country, the IoT lacks any manufacturing regulation for privacy or security.
Internet privacy regulation has been a contentious area of policy in recent years, but smartphones and computers in the U.S. are covered under “flexible” regulation, in which manufacturers are required to update security features to match current and upcoming threats. The flexible regulation does not detail any particular security measures, acknowledging the amorphous nature of the technology sector, and expects manufacturers to decide best practices. Other IoT devices do not have this protection, leading to the separation between devices.
In recent years, malicious private users and political groups alike have exploited the lack of security on IoT devices to attack other devices and websites. Many IoT devices use outdated security certificates and default passwords that can be easily guessed by algorithms, or are simply too old to have any viable security measures. Malicious users then typically infect the devices with malware and carry out DDoS attacks on target sites or insecure devices. (DDoS attacks, or distributed denial of service attacks, attempt to send more data to a site than that site can handle in bandwidth, until the site is temporarily forced to shut down.) Infected IoT devices, or botnets, have also been used to commit fraud and extortion. Because IoT devices often have limited user interfaces, owners generally don’t realize a device is infected, and the device waits to be used for attacks or continues to infect other devices until it is shut off – which may happen very rarely for a device like CCTV or a smart fridge.
These attacks by IoT devices are nontrivial; the problem of infected devices rose to the forefront of the security sector in 2016, when the Mirai virus, the malware used to conduct most major attacks, overwhelmed Dyn and interrupted Internet services for millions of U.S. users. During this attack, even large sites like Twitter and Netflix became unavailable; despite receiving massive amounts of traffic on a daily basis, Dyn was unable to compete with the data from the hundreds of thousands of botnets. In November 2016, another Mirai botnet interrupted the entire Internet service of Liberia, where Internet for the government, the public, and the private sector are all provided off of one cable. Smaller attacks against websites and individuals are unceasing.
Many researchers have suggested regulating the IoT like smartphones and computers in order to combat the increasing security dangers. In fact, flexible regulation would treat IoT devices the same as phones and computers, pushing manufacturers to work proactively and unceasing on IoT security. However, IoT regulation has several pitfalls. Most importantly, it is much harder for users to see security measures on their IoT devices and hold manufacturers accountable – whereas a computer has a complex interface with user-friendly security information and anti-virus software, an IoT device like a DVR has no such interface. Many infected IoT devices are also old; companies often abandon updating old devices, and new IoT regulation would have little effect on these older machines. A large number of older devices are unable to be updated at all. A final but major difficulty is the global nature of the Internet itself; regulation in the U.S. doesn’t apply to devices made in other countries, and even IoT devices that are covered under flexible regulation are still at risk from attack by malware based anywhere around the world.
The Internet has always been self-regulating, however, and private actors are developing their own ways to combat the weaknesses in the IoT without government regulation. On April 20, the newest version of the botnet nicknamed BrickerBot appeared and began hundreds of attacks on poorly-secured IoT devices. The BrickerBot attack targeted IoT devices with specific security weaknesses that cannot be updated by the manufacturer, and effectively closes the device off from the Internet in a permanent denial-of-service attack. Devices targeted by BrickerBot have not been able to be reset or restored. While the device can no longer connect to the Internet and is, in essence, ruined, it is also no longer able to infected by malware like Mirai. BrickerBot is not the only botnet of its type; combined with the similar Hajime and Wifatch botnets, these “vigilante” preventative measures by private actors have taken an estimated two million vulnerable devices off the Internet permanently.
Until regulation is enacted or an open-source solution is created, the infection of the IoT seems endless. However, concerned consumers can take some steps to protect their devices – changing default passwords, updating firmware, or disconnecting unneeded devices. “But overall, the trends favor the attacker,” says security expert Bill Schneier. “Expect more attacks like the one against Dyn in the coming year.”
Kelsey Robarts is a 1st year MPP at the College of William & Mary and an Associate Editor for the William & Mary Policy Review.