The topic of this discussion is Internet ofThings (IoT) and the resulting securityissues. What made me think of this issomething that happened on Friday, October21, 2016. That’s when 145,000 small securitycameras all around the world weremaliciously programmed, via a wide-spreadvirus, to send numerous phony messages – allat the same time – to some of the main serversthat control Internet communications. Thoseservers belong to DynDNS (a division of Oracle), a company that provides networkcommunications services to many large online companies. Their servers were so overwhelmedby the onslaught of messages that it caused widespread disruption of legitimate Internet activityin the U.S. Do any of you remember when that happened?

I read an interesting article about this attack, written by Stephen Cobb, Senior SecurityResearcher at a consulting company name WeLiveSecurity. Cobb’s description of this eventincludes the following quote:

This made it hard for some major websites to work properly, including Twitter, Pinterest,Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast, and the Playstationnetwork. Beyond these high-profile sites, it is likely that thousands of online retailoperations were disrupted.

There’s a name for the type of electronic attack – it’s called a Distributed Denial of Service(DDoS). That type of security problem has been going on for a long time, but the attack lastOctober is believed to be the first one caused by small electronic devices (as opposed tocomputers). To me, it’s almost absurd to think that a bunch of security cameras could shut downa portion of the Internet, but that’s exactly what happened.

There are many aspects of this issue, and I’d like to see if I can dissect what happened. I’m suresome of you will have things to add to this discussion, and I look forward to your comments.

First things first. What types of devices are includedin the IoT, and how (and perhaps why) are theyconnected together? Here is an illustration from theCobb article that depicts the types of things that couldhave been involved in the DynDNS attack. Theseinclude some of the most commonplace electronicdevices we have come to rely on for a moreconvenient “connected” world.

As I mentioned above, the name for all these connected devices is the Internet of Things(abbreviated as IoT). The name is a perfect definition – it’s the use of the Internet (a worldwide“network of networks”) to connect millions (or more) small electronic gadgets. Of course, thisreally does provide a great deal of convenience for us and the things we can do. I guess that’swhy we have connected everything. The concern now is that there are serious security issues thatstill haven’t been completely addressed. That’s a problem!

Let’s back up for a minute. When the Internet was invented, there was no such a thing as anetworked baby monitor (just to choose one example of a “thing” in the IoT). I’m sure an idealike that would have caused lot of laughter at the time. The Internet was originally intended toconnect computers. The engineers who created the plans for the Internet realized that therewould have to be some finite number of connections, and they chose than number to be slightlymore than 4.2 billion. The actual number is 2 to the 32nd power. (OK, I was a math major, so Ican’t resist. That number is 4,294,967,296. My kids think I’m a “computer nerd,” and I guess Ijust demonstrated that. Sorry.)

Can you imagine being one of those engineers? This was 1974 and they just had to think thatthere would never be a time when there would be more than 4.2 billion connected computers.Well, the immense network came to include more than just computers and, as we now know,THEY WERE WRONG!

Nonetheless, those engineers were pretty clever. They made up a system whereby eachconnected computer had its own unique number, and that number would be used by thecommunications equipment to direct messages to their intended location. That number is calledthe “Internet Protocol address” (abbreviated as “IP address”). We still call it that today, but thetechnology has improved a great deal since the beginning days of the Internet. More on that in amoment.

But first, here are a couple of related points:

? There’s a name for the communications equipmentthat directs the messages to all the computers inthe Internet. The original name was “InterfaceMessage Processor.” The picture to the rightshows one of the original 1968 processors beingoperated by its inventor, Wes Clark, a physicistwho worked at M.I.T. Today, this device is simplycalled a “router.” I think of the Internet as aworldwide connection of millions of routers.Without them, none of this would work.

? Each IP address consists of a series of bits – 32 of them to be precise. As I said above,every computer that’s part of the Internet has its own unique IP address. Instead ofwriting out all 32 bits, we abbreviate it as 4 groups of numbers, where each group has256 possible values, numbered from 0 to 255. (Nerd alert: 256 to the 4th power is thesame as 2 to the 32nd power.) Thus, we have an IP address that looks like this:

207.62.235.151

You’ve probably seen numbers like this before. By the way, I didn’t randomly choose theabove number. That’s the actual IP address for the main server at San Mateo CommunityCollege District. When you used WebSmart to register for this class, yourcommunications were directed to that IP address.

Fortunately, we don’t have to remember IP addresses; we can simply refer to eachnetworked computer using a “domain name,” where each name is associated with aspecific IP address. That clever idea came about in 1984. It is called the Domain NameSystem (DNS). You can read more about it on your own in the text book. By the way,domain name for that above IP address is “smccd.edu.” Looks familiar, doesn’t it?

The DynDNS company mentioned above is a major provider of DNS services to othercompanies. That’s why the attack on them caused such a major disruption of service.

Even though 4.2 billion was a huge number in 1974, it’s a serious limitation in today’s world.There are actually a lot more than 4.2 billion things that we want to connect. It has beenestimated that within the next 2 years, there will be more than 1 million new things added to theInternet every hour! So, something had to change, and it did back in 1990. That’s when a groupof experts called the Internet Engineering Task Force (IETF) re-defined the meaning of “IPaddress.” Instead of using 32 bits for each address, they decided to use 128 bits. They named thenew protocol “IPv6” (meaning “Internet Protocol version 6”). This implies that there were 5earlier incarnations of IP. That’s true, but it doesn’t have any impact on this discussion.

One more nerd alert: 2 to the 128th power is a HUGE number, namely:340,282,366,920,938,463,374,607,431,768,211,456

No kidding!

The bottom line: Using IPv6, there are enough unique combinations to connect every blade ofgrass on the planet (assuming that grass was electronic). Or, as you have probably guessed bynow, that means every “thing” in the Internet of Things.

You can even buy light bulbs that have their own IPv6 address. Those light bulbs come fromPhilips, and they cost in the neighborhood of $45 each. You can get the “starter kit,” whichincludes 3 bulbs and the required control unit, at Bed, Bath, and Beyond for $179.99. Costly,yes, but you can control your lights from any smartphone anywhere on the Internet. How cool isthat? As I implied above, there’s a price for convenience.

While the Philips bulbs are excellent, there is a huge potential problem lurking in the background– well, now in the foreground. Many of the “things” that are connected on the Internet have littleor no security features. A lot of the companies that make these gadgets want to manufacturethem as inexpensively as possible, so they bypass the security options that exist in the majorcomputer operating systems. You can bet that a lot of baby monitors don’t include a firewall!

That leaves the “things” vulnerable to malicious software such as viruses and worms. Back inOctober 2016, that theoretical issue became a reality. That DDoS involved is universallyacknowledged as the largest such attack – at least for the time being. One of the IoT electronicmanufacturers whose products inadvertently played a role is Chinese firm Hangzhou XiongmaiTechnology. Their products include Internet-connected cameras.

Most Internet security experts say there’s more to come. This is the modern-day version ofwarfare (the pundits call this “cyber-warfare”). My fear is that the DynDNS attack could beviewed as a “proof of concept” for some nefarious organization, and a future attack could disrupta lot more than the October 2016 one did. I hate to be pessimistic, but that’s the reality of thesituation.

All of this means that we need to pay attention to the security risks here and become much morevigilant than we are now. Do you think the “average” consumer even knows what this is allabout? Are you going to be a more cautious when you’re done with this class? I think yourcomments are going to be very interesting.

To finish this portion of the discussion, here’s the final quote from the Cobb article:

What is the bottom line on the 10/21 IoT DDoS attacks? I think it is this: we have beenshown just how vulnerable the Internet, which is now an integral part of the criticalinfrastructure of the US and many other countries, is to disruptive abuse conducted atscale, by persons whose identity is not immediately ascertainable. Until this vulnerabilityis addressed, it will cast a serious shadow over the future of connected technology, afuture in which much hope and massive resources have already been invested.

Sources of information:The article by Steven Cobb can be found at:https://www.welivesecurity.com/2016/10/24/10-thing…

Also, another interesting article on this topic was written by Steven J. Vaughn-Nichols, acontributing editor for ZDnet It can be found here:http://www.zdnet.com/article/the-dyn-report-what-w…

Here’s an article from “The Hacker News” about Hangzhou Xiongmai Technology:http://thehackernews.com/2016/10/iot-camera-mirai-…