A Cheap Internet of Things Threatens the Internet

A side effect of the smartphone revolution is the emergence of a rich—but cheap—ecosystem of building block modules. Unfortunately, these modules are very insecure and, when assembled into a quick and inexpensive device, they can cause serious trouble. They already have.

Once upon a time, if you wanted to try your hand in the personal computer hardware business, you would begin your journey with a trip to Tokyo’s Akihabara district. You could find anything imaginable, from resistors to motherboards, broadcast klystrons to phonograph needles, plus barely mentionable massage contraptions. Bring a screwdriver and build your own PC: chassis here, power supply there, motherboard, overclocked processor, liquid cooling for the tortured chip, fans, neon lights… Those were the PC organ bank days.

Today, we have the promise of another gold rush: The internet of things. You buy into the dream and decide to start a company that will build and sell security cameras… the baby monitor and toaster will follow.

To get inspiration, components, designers, contractors, and quotes, what better place to go than the latest and greatest electronics bazaar, the Huaqiangbei district in Shenzhen, China? Shenzhen, the home of the largest—and most notorious—Foxconn factory, is the world center for smartphone building blocks: sensors, cameras, GPS and most importantly, wireless transceivers.

You start with a basic application processor from Mediatek or one of its competitors. This gives you an ARM processor, a pared-down embedded Linux software engine and a network stack—everything you need for internet connectivity, with and without wires. Add your choice of sensors and drivers, hire a manufacturing contractor to assemble your security camera according to your own specs, and you’re in business.

Admittedly, you don’t have a radically differentiated product, but the money you saved on engineering will be spent creating a brand, convincing rapacious retail channels to carry your product, and genuflecting to web cacographers for product reviews… that’s life in the cruel world of Consumer Electronics.

If you fail, you’ve only created pain for your investors and co-workers.

If you succeed, you win… but trouble awaits, on a much larger scale.

Your computer module suppliers have sold millions of identical building blocks to your competitors and other consumer internet of things dreamers: DVRs, smart locks, weather stations, lighting systems… Finished products are sold to technically unsophisticated consumers who ignore updates or forget their logins and passwords. The module makers have anticipated this predicament and designed in a backdoor—a login/password combination that allows tech support to remotely take control and make the user happy.

Hackers get wind of this well-meaning but terribly lazy arrangement. Using standard Linux dissection tools, they browse the embedded software module and find the backdoor password… which they can use to unlock all of the internet of things devices from the offending maker.

The pirates have taken over the ship. They upload software to your unsuspecting device and turn it into a weapon part of a massive denial-of-service attack. Your security camera has been conscripted into a guerrilla army that incapacitates a website with an overwhelming volume of requests.

The “enemy,” the bullseye of the hacker’s ire, isn’t you or your home—it’s a political website that has offended the hacker’s sensibilities, or, with increasing frequency, a site that the pirates want to hold for ransom.

On an even grander and more terrifying scale, attacks have been directed at internet infrastructure services such as Domain Name System servers. DNS translates a name such as example.com into its actual, numerical IP (Internet Protocol) address—(example.com = 93.184.216.34). We saw this last week when a DoS attack on Dyn caused the massive East Coast internet outage that knocked out Twitter, Netflix and even The New York Times. No one knows who do it or why, but the implications are dire. What’s next? Energy and transportation infrastructures? Communication systems?

What is clear is that by being so easily penetrated, unbeknownst to their cuckolded owners, cheap internet of things devices represent a threat we have yet to fully understand. This is a side effect of the smartphone revolution. Billions of smartphones created an ecosystem of components, manufacturers and distributors in a fierce race to the bottom. Corners were cut, untold numbers of vulnerable devices now lie in wait on the internet. Who would have imagined a “security” camera could be taken over by hackers?

If this sounds exaggerated, another hazard is now revealed: a hole in a connected objects protocol called ZigBee used, as just one example, by Philips Hue smart bulbs. In a recent New York Times article, John Markoff describes the work of researchers who found an easy way to penetrate the ZigBee network and subvert lighting systems—or any other connected object that uses the protocol.

The consumer internet of things revolution will happen. But it won’t succeed on the cheap, especially not without much more attention to what lurks inside the connected objects we’re sold. For this to happen, we need to hold manufacturers liable and to buy only from companies that actually pay attention to security and privacy.