SXSW 2018 Recap: Is the Future of IoT as Scary as It Seems?

March 21, 2018 - 8 minutes read

Just how scared should we be of the Internet of Things (IoT)? It’s hard to say. Recent cybersecurity threats like Mirai have caused the news to paint the future of IoT as an unsafe hackathon free-for-all.

In his recent SXSW 2018 presentation, “Internet of Scary Things: Botnet in a Box,” our CTO Rob Pope separated fact from fiction by diving into what exactly happened during these now-infamous botnet attacks and giving a live demonstration of how they occur.

In case you missed the event, or you’re worried that Alexa is listening, or if you’re scared that your laundry machine is watching you, don’t worry, we’ve got you covered. Read on to find out.

There and Back Again

Rob Pope’s a man of many talents. He’s a four-time entrepreneur and software engineer who decided to switch to the other side after an extensive tenure in the cybersecurity field. As he puts it, when he “got a little bored of breaking into things, he decided to make them instead.” He co-founded Dogtown Media in 2012 and has been absolutely integral to the success of the L.A.-based development studio since its start.

Rob’s got a mind primed for tinkering, and it shows: To date, he’s helmed the launch of over 100 digital products. He’s always experimenting; two of his current side-projects are a self-driving remote car and hacking radio-finding software to emulate gate openers like key fobs and garage doors. On that note, while he may spend most of his day as a maker right now, he still very much has a security mindset.

Old habits die hard, and the overwhelming headlines about IoT security became irresistible to investigate.

Sifting Through the Hacking Hysteria

Rob’s seen his fair share of fearmongering; it was one of the primary reasons he decided to pivot from security to digital products. But the plethora of IoT threats making the media rounds couldn’t be ignored.

In September 2016, Bashlite, a malware that hijacks Linux systems to launch distributed denial-of-service attacks (DDOS), struck fear into the hearts of IoT device owners everywhere. Then, like a sequel trying to up the ante on the first movie, Mirai arrived. This malware hijacked networked Linux devices and turned them into bots, which could then be used in mass-scale network attacks.

After recruiting hundreds of thousands of devices like DVR players and security cameras, Mirai caused widespread internet outages across the eastern United States. And nevermind the fact that these two devices were around long before “IoT” became a buzzword; both were things, and both were connected to the Internet. That was all that was required for the media to have a field day.

Botnet in a Box

Is your washing machine coming to get you? Is someone with insidious motives changing the thermostat in your house? I’m watching the TV… but is the TV watching me?! These questions have taken on a whole new meaning in the post-Mirai era, and Rob wanted to get to the bottom of how accurate this picture was.

Luckily for him, the creator of Mirai open-sourced the malicious code. Unfortunately for Rob, it was released without instructions. After a few weekends of hacking it out and piecing various code repositories together, he finally got the botnet to work. But there was no time to celebrate — it was immediately apparent how inherently dangerous the botnet was.

Essentially, it takes random IP addresses on the Internet and tries to connect with them to spread itself. To address this, Rob “sandboxed” it in his “Botnet in a Box” Mirai demo: with a rack of five Raspberry Pi devices, his laptop as the command and control center, and a private network to connect them on, Rob could simulate a denial-of-service (DNS) attack.

With a single command, Rob could infect one Pi. Within moments, not only would all of the other Pis be infected, but they had overflooded Rob’s laptop and rendered it inoperable.

Mind the Gap

Rob’s demonstration at SXSW 2018 showed off the power some of these malicious programs can have, but to understand the gap between the news and reality, context is needed. Sure, these attacks are sophisticated. And yes, pretty much anything can be hacked, given enough effort and time (and coffee). But to understand why everything isn’t being hacked, you have to start with the “why.”

The monetary motivation for hacking a smart fridge just isn’t the same as hacking a bank account. The majority of criminals want your money, they’re not interested in watching you eat popcorn while you binge Netflix. Not every device has a great use for this purpose. This is why you can read about a multitude of ways to hack cars but never see reports of drivers having their cars automatically drive off the road. And of course, the cybersecurity and IoT industries aren’t exactly complaining about the hype — it generates astronomical amounts of attention for them.

While Rob contends that the chasm between reality and news is quite wide, it’s still prudent to protect yourself. After all, there is still a degree of risk. Gaining an understanding of what the attacks are possible of doing and why someone would want to employ them is a great place to start. Besides this, Rob recommends a few actions for IoT developers and enthusiasts:

  1. Remove any unneeded services that you don’t need to be running all the time.
  2. Drop your default accounts and ensure your password is strong.
  3. Do not put things directly on the Internet.
  4. Use firewalls.
  5. Encrypt everything!
  6. Use certificate-based authentication on your devices.
  7. Update your software regularly.
  8. Run services with lowest account permissions possible.
  9. Limit updates to signed firmware only.
  10. Disable all unnecessary physical ports.

Stay safe out there! We hope this gave you a better understanding of the hype and reality of IoT security.

Tags: , , , , , , , , , , , , , ,