The IoT security doomsday is lurking, but we cannot talk about it properly

Something needs to be done to stop the IoT turning into the IoDDoS, but communication with lay people is all but impossible.
Written by Chris Duckett, Contributor

A map of connected devices. | Image: Thingful

As the world rushes headlong into taking all manner of devices and systems online, there are few opportunities to sit back and consider the consequences of these decisions.

Australia had one such opportunity this week as a Senate inquiry heard testimony into how everything went wrong during Census night on August 9.

As a multinational giant had its incompetence and fragility exposed -- and an almost AU$10 million contract turned into AU$30 million in remediation -- a discussion could have been had around outsourcing, getting value for money from taxpayer funds, consistent chipping away of the public sector, privacy implications, and whether an online Census is even a good idea at all.

But instead, as a quick Google search will show, the coverage instead focused on some cheap laughs to do with a router not restarting properly, thereby completely missing the main point that the only reason the router restarts were needed was because they were being hosed as a result of an awful DDoS mitigation strategy put in place by IBM.

A chance to give some much-needed education to the wider public on what a distributed denial-of-service attack is, and why it is not one of the fabled "hacks" that appear on news bulletins occasionally, was lamentably missed again.

Such education is sorely needed, as regular consumers purchase increasing numbers of smart devices that often have shoddy security and cruise the internet with default usernames and passwords unchanged.

These are the sorts of devices that helped take down Dyn as part of a Mirai botnet. Fingers are being pointed at script kiddies for this attack, and, if true, it shows that the internet is in a far more dangerous and vulnerable place than many thought.

Because if a bunch of script kiddies showing off are able to take out Dyn, and many major internet sites along with it, then picture what a determined state actor could do, especially if paired with the other soft internet underbelly, industrial systems.

If the current trajectory of not doing much about IoT security is maintained, then the internet is headed towards an IoT doomsday that security folks have been warning about for years -- total refrigergeddon.

The approach of letting consumers worry about the security of their own devices has clearly failed. There is a percentage that are capable of knowing what is on their network and are able to prevent them from going rogue, but the vast majority of consumers do not have the faintest idea of how to control their network.

In the past week, Singaporean telco StarHub has twice fallen victim to DDoS attacks that caused outages on its network. One of the remedies the telco has chosen is to ask for permission from its customers to have technicians visit their homes and check their devices.

Over the past seven days, we have also seen Xiongmai, a manufacturer of internet-connected surveillance cameras, recall its products due to them being a part of Mirai.

As increasing numbers of products and services move from a traditional ownership model to one that more reflects renting than outright purchasing, this may be the path that IoT devices follow.

There needs to be a discussion around culpability and responsibility for when IoT devices take down parts of the internet: Is it the fault of consumers or the product makers, and what should telcos do when they see such attacks on or traversing their networks?

And once that is sorted, how do you handle the same scenario in a world where communications are wrapped in TLS?

It's not something that is going to be solved over a few beers at a conference, and is going to shape the experiences of consumers with technology for some time.

In a perfect world, there would be space and time given to including consumers in the discussion, rather than technology and industry experts heading on down from the mountain with a new set of the IoT rules of engagement.

But that is clearly not going to happen when the high point of technical engagement these days is a "turn it off and on again" joke.

ZDNet Monday Morning Opener

The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and the US.

Previously on Monday Morning Opener:

Editorial standards