Safeguarding our digital security with cardboard doors and paper locks

Please chip in to support more articles like this. Support rabble.ca today for as little as $1 per month!

Imagine the houses in your hometown all have cardboard doors, or leave their doors wide open. Now imagine inside all those houses there are safes, jewellery cases, storage lockers and desk drawers all protected by locks made of paper. As you would expect, all of those houses and lockers and drawers would be easy pickings for professional burglars or even for unskilled thieves looking for something to pawn.

Now, imagine instead of stealing anything, the home invaders hid tiny devices inside all those poorly locked containers. Let's suppose those devices could make phone calls whenever and to wherever the invaders chose. Maybe the gizmos lay hidden in all those storage lockers and desk drawers, in all those homes, for years -- undetected and benign.

But one day, at the invaders' signal, this massive sleeper cell of tiny devices all dial 911 simultaneously. That jams an emergency switchboard. It makes it impossible for anyone to get connected to the exact vital service they need. Those services are denied because thousands of hidden, tiny phones have swamped 911. All of them forced to attack by a single malicious signal.

It would be like a Manchurian Candidate scenario -- except for jewellery cases, not brainwashed soldiers.

That's exactly what happened last Friday when Dyn, a switchboard for the Internet, was attacked by tens of millions of IP addresses all around the world. That attack swamped Dyn's East Coast servers and made it impossible for users to get to sites like Amazon, Etsy, Twitter and the New York Times. In fact, Dyn's servers were pounded in three different waves on Friday although Dyn managed to completely thwart the final assault.

What is most disturbing about the attack, called a distributed denial of service (DDos), is which devices were involved. And this brings us back to cardboard doors and paper locks.

As many as 100,000 devices involved in the attack were part of what is called the Internet of Things (IoT). That includes security cameras, routers, DVRs, Internet-connected lighting and myriad other gadgets we've put in our homes. They all have IP addresses. 

What's worse, many IoT devices, including routers, have terrible or no security. In order to infect these home devices, cyber home invaders need only guess simple passwords (cardboard doors), or just walk in through the open doors of completely insecure devices, like home routers. 

Once in, using a relatively simple piece of nasty code called Mirai, the invader turns your toaster or baby monitor into a tiny brainwashed soldier that is now part of a botnet, a millions-strong army primed to attack a target the invader picks. Last Friday, that target was Dyn.

Even more disturbing is that many IoT devices now in homes were cheap and sold back when manufacturers didn't even consider security as an issue. And, many have simple passwords that can't easily reset. 

In other words, there is nothing the device owners, the government or security experts can do to prevent the devices from being used for DDos attacks again and again. And DDos attacks happen every day, though not on the scale of last week's Dyn assault.

We don't know who is responsible for the attack. Mirai is a relatively amateurish piece of malware and was released to the hacker community earlier this month. As Donald Trump might say, "Maybe it's the Russians, maybe it's China, we don't know." Or, it just could be some hackers who are the equivalent of amateur burglars looking for an easy target.

But whoever it is, we know this. In a rush to create smart homes and make our devices talk to each other, we have allowed a threat into our houses through our cardboard doors and paper locks.

To quote the old Pogo cartoon: "We have seen the enemy and he is us."

Listen to an audio version of this column, read by the author.

Wayne MacPhail has been a print and online journalist for 25 years, and is a long-time writer for rabble.ca on technology and the Internet.

Image: elhombredenegro/flickr

Like this article? rabble is reader-supported journalism.

Related Items

Thank you for reading this story…

More people are reading rabble.ca than ever and unlike many news organizations, we have never put up a paywall – at rabble we’ve always believed in making our reporting and analysis free to all, while striving to make it sustainable as well. Media isn’t free to produce. rabble’s total budget is likely less than what big corporate media spend on photocopying (we kid you not!) and we do not have any major foundation, sponsor or angel investor. Our main supporters are people and organizations -- like you. This is why we need your help. You are what keep us sustainable.

rabble.ca has staked its existence on you. We live or die on community support -- your support! We get hundreds of thousands of visitors and we believe in them. We believe in you. We believe people will put in what they can for the greater good. We call that sustainable.

So what is the easy answer for us? Depend on a community of visitors who care passionately about media that amplifies the voices of people struggling for change and justice. It really is that simple. When the people who visit rabble care enough to contribute a bit then it works for everyone.

And so we’re asking you if you could make a donation, right now, to help us carry forward on our mission. Make a donation today.

Comments

We welcome your comments! rabble.ca embraces a pro-human rights, pro-feminist, anti-racist, queer-positive, anti-imperialist and pro-labour stance, and encourages discussions which develop progressive thought. Our full comment policy can be found here. Learn more about Disqus on rabble.ca and your privacy here. Please keep in mind:

Do

  • Tell the truth and avoid rumours.
  • Add context and background.
  • Report typos and logical fallacies.
  • Be respectful.
  • Respect copyright - link to articles.
  • Stay focused. Bring in-depth commentary to our discussion forum, babble.

Don't

  • Use oppressive/offensive language.
  • Libel or defame.
  • Bully or troll.
  • Post spam.
  • Engage trolls. Flag suspect activity instead.