Last year in September when a couple of hackers wirelessly controlled a Cherokee Jeep, they demonstrated how the ‘connected’ world we live in today can become a nightmare with the proverbial ‘flick of a switch’ or as in this case by injecting malicious code in an otherwise normally functioning machine. The matter was hushed up by Chrysler after releasing a software patch for the affected model and the hackers landed a job with Uber’s Advanced Technology Centre! A case of all’s well that ends well maybe? Definitely not.
Breaking the internet, literally
Couple of weeks back, services of websites like Twitter, Facebook, Netflix, Airbnb, Reddit and The New York Times went down across the world when a distributed denial of service (DDoS) attack took down internet infrastructure provider Dyn. Investigation into the attack revealed that it was engineered by a botnet (a temporary network of ‘dumb’ devices controlled by a malicious code) created using the Mirai bot. Mirai is a program that helps attackers to search for devices over the internet that are using ‘default’ passwords, the attackers then gains access to these devices for their own bidding and uses them to send repeated requests to a target website/service provider leading it to eventually crash due to overload.
The Dyn attack is not an isolated incident as attacks using bots like Mirai have become increasingly frequent this year. In September, French hosting service OVH was targeted by a IoT botnet composed of 1,14,607 compromised digital video recorders and IP cameras, in case of Dyn this number is estimated to be of about a lakh of such compromised devices. In fact some security researchers believe that the comparatively lesser number of compromised devices used may point to this been a trial run by cyber criminals. The possibility of a more powerful attack in the future is undeniable because the developer behind Mirai has released the malware’s source code along with step-by-step instructions on how to use it in public domain.
Security in collaboration
Ideally, having seen the potential for catastrophe, the manufacturers of IoT devices should take steps on their own to boost device security. But that isn’t likely to happen as IoT devices are price-sensitive and investments in security increases costs. The competition to bring out a product into the ever crowding niche is strong enough to push security and data privacy concerns in the background. Collaboration is one of the ways forward, as shown by the Allseen Alliance, an industry group consisting of around 170 members including Haier, Panasonic, Qualcomm and Microsoft. The alliance has come up with ‘AllJoyn’, a collaborative open-source software framework that makes it easy for devices and apps to discover and communicate with each other. AllJoyn is manufacturer and OS independent, facilitating direct communication over Wi-Fi or Bluetooth protocols. If more manufacturers are compliant with these standards it will push low quality devices to be off the consumer’s choice lists. The Open Connectivity Foundation is also engaged in developing standards and certification for IoT devices. It has sponsored a project called ‘IoTivity’ whose goal is to create a new extensible, secure and robust architecture that works for smart devices globally. Adopting a ‘Security in Design’ approach for IoT devices would go a long way in preventing repeats of Mirai bot attacks in near future.
Sharing responsibility for ‘Everything’
According to Gartner, the Internet of Things is slated to reach 6.4 billion installed devices by the end of this year and would continue to grow at a phenomenal pace to reach 21 billion devices by 2020. Each one of these devices will be a node that will generate, transmit or process end user data. A very large chunk of this data will be personal in nature (health records, financial transactions, location etc.) making it a prime target for attackers with malicious intents. Fine tuning existing data collection and privacy policies is thus the need of the hour. End users will need to have control over what information to share, with whom to share and a clear knowledge of recipients of this information. Further, there needs to be active user education that makes her aware of the choices.
This should be supplemented by a shared liability regime between software developers, device manufactures and insurers. Lengthy and complex end use agreements that practically disown any liability for the developers need to be replaced with ones that actually define the liability while being user friendly in draft and execution. When manufacturers and developers own up on the legal responsibilities for security and privacy breaches it will increase end user confidence in adopting the Internet of Things.
Regulating smart devices
Lastly, governments need to work on regulatory framework to oversee this process. This would include dusting the cobwebs off ancient technology laws and aligning them with the changes in the Internet landscape. User privacy concerns and secure designing should be integrated in charters of respective standard setting organizations within respective jurisdictions. Further, the process of establishing a shared liability regime can be pushed through by legislation if market dynamics are hindering its uptake. Policy documents that address these concerns need to be widely discussed and debated in public domain. The Indian government is yet to formalize its IoT policy after it released a draft in public domain last year. The draft in its present form pays mere lip service to the aspects of data security and user data privacy. For a government looking to move towards net zero import of electronic products by 2020 under its Digital India initiative, codifying its IoT policy should be a top priority.
Openness, anonymity and the lack of government regulation are the principles that have led to the growth of the internet that we know today. But the advent of IoT has ensured that the same idealism that built the internet now threatens it by exposing it up to infrastructure crippling attacks. Standard setting for IoT devices needs to be extended as a measure of user safety. If there are standards so that devices don’t catch fire or give an electric shock to the user, would it not be right to expect devices that are not easily compromised by hackers? If we fail to do this now, then we should not be surprised if we hear about a botnet bringing down a power supply network using your smart refrigerator as a bot in the not so distant future.
(The author leads the digital policy team at The Dialogue, an online policy analysis portal. Views expressed are personal.)