Last weekend a cyberattack launched from compromised webcams crippled a number of high profile services. In response, the Chinese manufacturer has withdrawn the devices from the market.
That dodgy webcams should have been used to launch a massive DDOS doesn’t surprise anyone who’s spent any time in the home automation field. These problems are endemic in the Internet of Things.
In the early 2000s I became involved in a home automation company through my IT support business. Basically we were kitting out Sydney’s harbourfront mansions with state of the art technology.
Very quickly I realised something was wrong. Almost all the home automation and CCTV systems were running on outdated, insecure software. The leading brand of home security systems used servers running on an old version of Windows 2000 at a time when malware was exploding.
It wasn’t a matter of if, but when, these systems would become hopelessly compromised given the networks they were running on were shared with the home users.
The real concern though was when I raised this with the vendors, installers and designers – no one cared. It was clear security wasn’t a concern for the market and the industry.
We could have patched the systems and boosted their security policies but given the shoddy software being used – mainly DOS batch files – and the assumed file permissions we’d have completely broken the systems and it would up to us to fix it given the attitudes of vendors and clients.
After realising this problem was industry wide I pulled the pin on that business venture as I wasn’t prepared to carry the legal risk and moral obligation of helping install dangerous equipment into people’s homes or businesses.
I’ve since watched as the Internet of Things has become fashionable with the knowledge that the industry’s cavalier attitude towards customer security hasn’t changed.
Now we’re at the stage where script kiddies can launch massive attacks from compromised webcams – God knows what the serious bad guys like state sponsored actors, criminal organisations and commercial spies are up to with these things – which shows the industry’s robotic chickens have come home to roost.
What last weekend’s events show is we have to demand better security from our technology suppliers. That though comes at a cost – we’ll pay more, we’ll have to sacrifice some convenience and we’ll have to spend time maintaining systems.
Are we prepared to wear those costs? Is the tech industry prepared to move beyond it’s ‘good enough’ attitude toward security? Are governments prepared to legislate and enforce proper design rules?
We may not have a choice if we want to enjoy the benefits of technology.