Cyberwar (2016) s02e05 Episode Script
The Internet of Things Apocalypse
1 BEN: A tsunami of insecure devices floods the internet.
Venture capital is just injecting massive amounts of money into the IoT craze.
Teenage hackers take down the web's biggest sites.
They have access to the same tools as nation states.
With millions of new smart devices coming online daily We're very nervous about the impact this has on the internet as a whole.
the threat to us all is now real.
It can't be unfixable and immortal.
Corrected From wireless printers to smart baby monitors to Bluetooth-enabled coffee makers, 5 million new devices are hooked up to the net every single day.
Controlled by your smartphone or computer, these products make up the Internet of Things, or IoT, and with them comes the promise of unbridled convenience.
What people don't realize is 80% of them have weak to no security.
In essence, super hackable.
So I don't really trust the Internet of Things 'cause of the risks it poses to me personally, but also something like a stove could be hacked by a hacker and burn down your house, or it could be used to get into your network 'cause it has bad security.
Or it could be part of some sort of zombie botnet that takes out one of your favourite websites.
SO THE QUESTION IS: are we setting ourselves up for the internet apocalypse? (ALARM BLARING) I can describe how messed up the Internet of Things is, but the IoT threat was really made tangible during the second season premiere of the USA Network drama Mr.
Robot.
(ALARM BLARING) A woman comes home to find all of her smart devices taken over by hackers.
Lots of people think this is sensational, but it's not.
With the explosion of IoT, the threat of your own tech being turned against you is no longer science fiction.
Is the added convenience really worth the risks? To find out, I'm in the Bay Area to meet Ben Actis, a legit engineer who gets paid to hack IoT devices for companies.
So we could do it a couple ways.
We have a screwdriver here, we could pop this, or if you wanna just go completely Hannibal Lecter, we could shhk.
(LAUGHING) This is getting a weird Yeah, this is getting pretty weird pretty quick.
Poor bastard's getting the cut job.
Yeah! - Ta-dah.
- Well done.
So the idea of this little IoT CloudPet is children will talk to it, sing to it.
The problem with CloudPets was all these recordings, it was sent up to their web API.
Completely public, anyone could grab, which is bad.
That's the creepy thing.
It's super creepy, right? Yeah, it's sketchy.
Doesn't it kind of remind you of some weird, like, Soviet, Cold War era device? Oh, the spying on a little It's like very much a spy thing.
You're like, "You know what's inside your teddy bear?" Yeah, that, but that's what we're moving to.
All these devices I mean, look, this teddy bear was a regular teddy bear before CloudPets, right? Just someone was like, "Oh, I have a brilliant idea.
We'll put a mic in it, we'll make a mobile app.
" And they just shoved it in the bear's bottom.
And would you say there's a big difference between, you know, what they put inside a teddy bear and what they put inside a stove top, or No, there's not a big difference, and that's the terrifying thing.
If someone can reverse engineer how your stove works, right, and wants to disable fail safes, right, or provide false data, that's a big issue.
Actis and I went to a furniture store to see some of the IoT devices currently on the market.
So obviously we're in a furniture store.
I mean, how many different types of devices are you seeing have smart capabilities? Tons.
Okay, there's dishwashers in here.
There's IoT stove tops, ovens.
I mean, what's to stop a bunch of kids It's almost like the 2017 version of egging a house.
From like just screwing with somebody's stove from Yeah, no, that's completely valid.
And also, I think the scariest thing is there's no way of checking integrity, or if someone has messed with it.
So even if you can clean a phone or a PC, right, how am I gonna scan if my oven's firmware's integrity is okay? So far, the most visible damage caused by the Internet of Things has come from botnets.
Put simply, an IoT botnet is a cabal of hacked devices, all infected with the same malware and controlled in unison by a single hacker.
With a botnet, an assailant can program those hacked devices to launch a Distributed Denial of Service, or DDoS attack, that floods their victim with so much junk internet traffic it forces them offline.
A massive international cyberattack that took down some of the biggest websites on the internet! The sites were out for several hours this morning in the eastern part of the United States.
By the afternoon it had spread to Europe, and among the websites were Twitter, Amazon, Netflix, and Reddit.
This attack from September of 2016 was unleashed by hundreds of thousands of Internet of Things devices, hijacked to form the biggest botnet ever assembled.
The botnet, named Mirai, demonstrated the risks of IoT, but it wasn't the first time Mirai had surfaced.
A month earlier, the same IoT botnet had been used in a DDoS attack on tech reporter Brian Krebs as retribution for his exposing the identity of a pair of Israeli cyber criminals.
So the botnet that attacked you, what was in the zombie computer army that was directed your way? I think it was about 250,000 devices in the bot that hit my site.
The vast majority of those were digital video recorders, DVRs, and security cameras.
So just stuff taken over on the Internet of Things? Exactly.
The threat from poorly designed Internet of Things is probably the biggest cybersecurity threat we have facing us.
Most of these devices are running Linux, versions that were 10, 15 years old.
In an article from January of 2017, Krebs lays out how Mirai, the largest botnet of all time, was not the weapon of some powerful nation state, but was likely being controlled by a couple of teenage hackers in New Jersey.
People ask me, you know, what do you think are the chances that somebody's gonna take out the lights? You know, take out the power grid or something in a cyberwar? And I always say first time we see that happen, it's not gonna be a nation state.
It's gonna be some bored idiot savant kid in his parents' basement who gets access to some place he's not supposed to have access to and says, "I wonder what happens if I push this button?" Boom.
They have access to the same tools as nation states today, and they have fewer reasons not to use them.
The individuals involved in this type of activity were raised by the internet.
(LAUGHING) Which explains a lot.
These guys are starting to do criminal activity when they're 12, 13 and 14 years old.
These kids get drawn into these online communities.
They get involved in identity theft, they get involved in credit card theft.
And left to their own devices, I believe these forums generally turn people into sociopaths.
The Mirai botnet literally took out Twitter for a time, but these teenagers didn't build it just to take out Netflix.
So why did they create such a powerful cyberweapon? For that answer, I have to enter the dank subculture of the online video game Minecraft.
EN: I'm in the Bay Area looking into the threat posed by the millions of vulnerable Io devices coming online daily.
The dangers of the Internet of Things first made international headlines when the Mirai botnet took down a bunch of the web's biggest sites.
Launched by a couple of underage hackers, the attack proved teenagers in New Jersey can wield cyberweapons as powerful as nation states.
Funny enough though, that weapon wasn't made to take out websites.
It was initially made to force gamers offline.
So let me get this straight.
The thing that took out parts of the internet Yeah.
this massive DDoS attack Mm-hmm.
was essentially incubated to attack Minecraft servers? Yeah, that's basically its main purpose.
This is Robert Coelho.
At the mature age of 12, he and his friends built a Minecraft server, allowing them to play the popular video game together online.
What started as a hobby became a business, and soon strangers were paying to play Minecraft on Robert's network.
Then they started getting DDoSed by an early version of the Mirai botnet.
So you had these bad Minecraft servers which attacked other ones to gain a competitive edge in the market, right? So the ones basically that would be making lots of money, they'd shut down other ones that they were competing against so that all those players would then go over to the other server.
That's basically how it works, exactly.
The hackers directed the Mirai botnet to knock Robert's server offline.
Frustrated clients who couldn't access the game would leave Robert's server and sign on with the Mirai makers.
But Robert wasn't cool with that, so he started a new company that provided Minecraft servers protection against these attacks.
So you came up with a DDoS mitigation platform yourself? Right, so basically And how old were you when you did this? I was like 14 years old.
(LAUGHING) Yeah.
You were 14 years old when you started doing this? Yeah, definitely.
(LAUGHING) We needed to do it.
I was egging houses when I was 14.
I was not making DDoS mitigation Yeah.
And are you still doing this business? Yeah, we still sell the service today.
Like And you're raking in thousands? Yeah, it's very lucrative.
(LAUGHING) - And how old are you now? - I'm 19.
So the people going after you are the same age as you.
So it's kind of this adversarial, dark versus light, kinda weird Yeah, Minecraft's making a lot of really skilled programmers.
So the Internet of Things is making us vulnerable to teenage hackers using botnets, but are IoT botnets something governments would ever use? Like a lot of things in life, I turned to Google for the answer.
And to learn how big a threat DDoS really is, I'm meeting Damian Menscher, Google's expert on DDoS defense.
Now, coming from you and the perspective of Google, what are the major concerns surrounding DoS attacks and botnets and IoT? From Google's perspective, we're large enough that we think we can probably absorb everything, but we're very nervous about the impact this has on the internet as a whole.
You know, we want people to be able to trust that the internet is always there, that it's accessible.
We want small sites to be able to exist.
DoS attacks are largely used as a method of extortion.
It's a financial difficulty for a small site to survive.
And so we're a little bit concerned about the risk of DoS attacks disrupting the free flow of information on the internet.
I mean, I've heard that DoS attacks, a really great one could quote-unquote "take out the internet".
It's somewhat unlikely that a DoS attack will intentionally take out the internet.
That said, there can be accidents that take out portions of the internet.
Have you ever seen any evidence of nation states using DoS attacks? There was a case in this was probably 2012, where there was an attack called Brobot that used compromised servers, and it was largely used to attack US banks, so financial institutions in the US.
This was later attributed by the US government to the country of Iran, and probably other countries will realize that this is an opportunity for them and do the same.
What's the big fear for you going forward? IoT is sort of changing the game, because now you have even more devices, but they're not managed at all.
And this is affecting security on the internet.
You know, recently there was the case of an internet-connected dishwasher.
I was trying to figure out why would you need your dishwasher to be connected to the internet.
Like what benefit do you get from that? And this had some vulnerability.
Well, the user isn't going to realize that that even has an internet connection, or you know, this need to be patched.
And so it's never going to be updated.
I agree with Damian.
Do we really need Wi-Fi enabled dishwashers? Even so, the Internet of Things is exploding, and it's not going away.
And if the only thing we really need to worry about is botnets and DDoS attacks, it's manageable.
But it's not.
In fact, I found other IoT threats that are far more insidious and way more personal.
BEN: This is San Francisco, where I'm looking for answers on the threats posed by the Internet of Things.
So far, the highest profile victims of Io are major websites like Netflix and Twitter, taken offline by an Io botnet in a DDoS attack.
But the truth is you don't need to be a multi-billion dollar Silicone Valley goliath to fear the rise of IoT.
The issue with the whole IoT world and what's freaky and scary is that there's the great unknown out there.
Morgan Marquis-Boire is a cybersecurity legend, plain and simple.
He's also an expert in how acronym agencies around the world use cyberweapons.
Do you think IoT has made all of us more susceptible to nation state offensive actions? More vulnerable to anybody, right? I mean, you're maybe more vulnerable to angry kids running Minecraft servers.
Is the Internet of Things making us less secure? I mean, the answer is almost definitely.
But I guess a further QUESTION IS: do we care? You're probably not thinking about security when you're, "I want that bomb smart TV.
" You just wanna watch the game with your friends while you eat hot wings.
We all need to start thinking about security, because if you're going to have a smart lock on your front door, the reality is it's more than possible to hack and then physically enter your house.
Or to use those same Io locks as a virtual gateway into your network, then move to your mobile phone or computer or tablet and gain access to your entire life.
One of the things that personally worries me, right, is that it has become cheap enough to produce tiny computers to control all matter of devices, from Barbie dolls to televisions to watches to fitness monitors to light bulbs, um Teddy bears.
Teddy bears, right! I want as few remotely controllable listening devices around me in my house as possible! So with everything from like a teddy bear to my fridge is being produced in a way that is insecure, I mean, who's responsibility is it? Who is at fault here, or who should carry the liability, and that's a loaded word, right? 'Cause liability suggests law and money.
- Payouts.
- And payouts, right? And you know, the technology industry isn't that into the idea of self reliability, because you know, we'll stifle innovation.
It looks as though we might possibly be moving towards an era where we need someone to be culpable, you know, if the insecurity of devices causes widespread problems.
But it's really important that we fix the obvious problems in these technologies before they're widely deployed, because by the time I need that heart monitor, I I would like it to be incredibly difficult to mess with.
Morgan's not the only one who would like to see better security from the Internet of Things.
It's already a huge issue for US corporations losing hundreds of millions every year to IoT breaches.
Justin Fier used to work with US intelligence extensively.
Nowadays, he's a director for Darktrace, a security firm on the frontlines of IoT security.
So first thing, I ask a customer how many devices they expect to see on their network.
And 100% of the time, they underestimate it by almost 15 to 20%.
And of those underestimated devices, it's typically IoT devices.
All of the TVs in the conference rooms, the thermostats, the vending machines, et cetera.
So for instance, we have a client here had a fingerprint scanner.
And what happened was that scanner all of a sudden became internet exposed.
We then started to see unusual activity between the scanner and the database server that keeps all the fingerprints.
What kind of target was this? I can't say what industry they were in, but it was a highly secure facility.
And when it comes to IoT, you have anything that can be exploited and owned.
I mean, if there's a camera in something, can you own the camera and then Absolutely, yeah.
We actually And one of our clients found one of their video conferencing systems.
They turned the microphone on and recorded the calls for about two weeks.
And this was actually in the Board of Director's conference room.
So try the most sensitive discussions within the company.
I mean, how many more devices have just popped up on networks period? Hundreds of thousands of millions.
I mean, if you look at the current climate right now, venture capital is just injecting massive amounts of money into the IoT craze.
I'd say every connected device on your network is a potential doorway into your company and your network.
I think if you wanted to foreshadow and look into the future, we'll look at ransomware.
It's been wildly successful.
I kinda think that the two are gonna converge.
I think we're gonna move from the virtual world to the physical world, and that's kinda scary.
And eventually somebody's gonna find a way to lock you out of your house until you pay a ransom.
I think part of the problem in terms of making people understand just how insecure all these devices are is that they think that these wild examples aren't possible.
Right.
(LAUGHING) But they totally are.
I would say anything you've seen on TV is actually possible.
Having your company's secrets stolen or board meeting spied on is the antithesis of convenience promised by the Internet of Things.
Are there any fixes to these problems? You might think I'm headed to more tech whizzes in California for the solutions, but instead I found some of the answers in the pastures of Rhode Island.
BEN: Like it or not, the Internet of Things is making us all more connected.
And that also means that with the added convenience of Io comes serious risks.
What do you think should be done with all these devices lying around then? The fix is device manufacturers need to ensure that their devices have at least basic security, and also a way to automatically patch themselves so that if a security flaw is detected in the future, that they can fix that flaw.
We have a tremendous amount of hardware makers that are just pushing out hardware and letting somebody else design the software.
They tend to have very, very poorly written software powering the devices.
Brian Krebs and Damian Menscher's solution line with the manufacturers, but Justin Fier of Darktrace believes the answer is with machine learning and artificial intelligence, using algorithms to monitor the flow of data on your network.
So unfortunately, what we've been doing for the last 5 years is just not gonna work anymore, which is really why I think companies need to start adopting new technology.
So the only answer to all of this is really machine learning AI? Yeah, I mean, I hate saying it because it's a buzzword that's being thrown around quite a bit, but there is a lot of power there.
And that's why technology like machine learning is just absolutely required in order to detect these sort of things.
Justin Fier isn't the only one who thinks our future is in the hands of the machines.
Dan Geer is possibly the world's most respected voice in cybersecurity, period.
The Central Intelligence Agency tapped him to be the Head of Information Security for their tech firm, and he IDed the threat posed by the Internet of Things over a decade ago.
I met with him at his horse farm in Rhode Island, a setting as disconnected from the world of smart devices as you can pretty much imagine.
Having algorithms to protect you from algorithms is the future, I suspect.
I'd rather have an analog circuit breaker than a digital one.
In the year 2000, there was a big to-do about whether when the clock struck - Y2K.
- Y2K.
If when the clock struck midnight, would the elevators stop running, or the planes fall out of the sky or whatever? I remember quite vividly the head of the water department in New York said, "We don't have a problem.
We still have valves and we know where they are.
" Can imagine if it was a bad thing.
Somebody would be out climbing into a hole with a big-ass wrench and cranking a valve open or shut.
The ability to do that is I think a a prudent requirement for going over to a dependence on the Internet of Things.
We certainly will see it, I think, that on a day-to-day basis it will make life much better.
If it ever comes completely apart, it'll make life much worse.
Do you think it's the Internet of Too Many Damn Things at this point? Not yet.
It's gonna be.
If you want me to pick something that I view as somewhat scary is the vehicle-to-vehicle communication for the auto-driving cars that would allow them to stack up thicker on the highway.
And as such, you get a free-if you wanna call it that free expansion of roadway capacity.
Think about it, it's just irresistible.
Yet at the same time, that all works until the day it doesn't.
Nothing comes for free, so what is all this convenience costing us? I asked Dan what we're giving up as our world becomes more interconnected and complex.
Remember, the thing about complexity is that because risk is proportional to dependence, you're only at risk of things you depend on.
The thing about complexity is it hides dependencies.
If you put a device on a network, I think you have to make a choice, and I only think there are two alternatives.
One is it has to have a remote management interface so that it can be modified, turned off, upgraded, something.
That's one option.
It can be reached, you know where it is, you can fix it.
Or if it can't be reached or it can't be fixed, it can't live forever.
It has to have a finite lifetime.
So what you're saying is the IoT devices that are being built today, you think that they should be built in order to die at some point? It can't be unfixable and immortal.
The two of those together are anathema.
In our quest for convenience, we've created an insecure future, with teenage hackers just as dangerous as powerful nation states.
Dan Geer is right.
We need to rethink how these IoT devices are being built.
But without pressure, manufacturers will never be motivated to care about security.
The pressure can come from consumers, or it can come from government.
Either way, one thing's for SURE: until something changes, the risks to all of us are only going to get worse.
Corrected
Venture capital is just injecting massive amounts of money into the IoT craze.
Teenage hackers take down the web's biggest sites.
They have access to the same tools as nation states.
With millions of new smart devices coming online daily We're very nervous about the impact this has on the internet as a whole.
the threat to us all is now real.
It can't be unfixable and immortal.
Corrected From wireless printers to smart baby monitors to Bluetooth-enabled coffee makers, 5 million new devices are hooked up to the net every single day.
Controlled by your smartphone or computer, these products make up the Internet of Things, or IoT, and with them comes the promise of unbridled convenience.
What people don't realize is 80% of them have weak to no security.
In essence, super hackable.
So I don't really trust the Internet of Things 'cause of the risks it poses to me personally, but also something like a stove could be hacked by a hacker and burn down your house, or it could be used to get into your network 'cause it has bad security.
Or it could be part of some sort of zombie botnet that takes out one of your favourite websites.
SO THE QUESTION IS: are we setting ourselves up for the internet apocalypse? (ALARM BLARING) I can describe how messed up the Internet of Things is, but the IoT threat was really made tangible during the second season premiere of the USA Network drama Mr.
Robot.
(ALARM BLARING) A woman comes home to find all of her smart devices taken over by hackers.
Lots of people think this is sensational, but it's not.
With the explosion of IoT, the threat of your own tech being turned against you is no longer science fiction.
Is the added convenience really worth the risks? To find out, I'm in the Bay Area to meet Ben Actis, a legit engineer who gets paid to hack IoT devices for companies.
So we could do it a couple ways.
We have a screwdriver here, we could pop this, or if you wanna just go completely Hannibal Lecter, we could shhk.
(LAUGHING) This is getting a weird Yeah, this is getting pretty weird pretty quick.
Poor bastard's getting the cut job.
Yeah! - Ta-dah.
- Well done.
So the idea of this little IoT CloudPet is children will talk to it, sing to it.
The problem with CloudPets was all these recordings, it was sent up to their web API.
Completely public, anyone could grab, which is bad.
That's the creepy thing.
It's super creepy, right? Yeah, it's sketchy.
Doesn't it kind of remind you of some weird, like, Soviet, Cold War era device? Oh, the spying on a little It's like very much a spy thing.
You're like, "You know what's inside your teddy bear?" Yeah, that, but that's what we're moving to.
All these devices I mean, look, this teddy bear was a regular teddy bear before CloudPets, right? Just someone was like, "Oh, I have a brilliant idea.
We'll put a mic in it, we'll make a mobile app.
" And they just shoved it in the bear's bottom.
And would you say there's a big difference between, you know, what they put inside a teddy bear and what they put inside a stove top, or No, there's not a big difference, and that's the terrifying thing.
If someone can reverse engineer how your stove works, right, and wants to disable fail safes, right, or provide false data, that's a big issue.
Actis and I went to a furniture store to see some of the IoT devices currently on the market.
So obviously we're in a furniture store.
I mean, how many different types of devices are you seeing have smart capabilities? Tons.
Okay, there's dishwashers in here.
There's IoT stove tops, ovens.
I mean, what's to stop a bunch of kids It's almost like the 2017 version of egging a house.
From like just screwing with somebody's stove from Yeah, no, that's completely valid.
And also, I think the scariest thing is there's no way of checking integrity, or if someone has messed with it.
So even if you can clean a phone or a PC, right, how am I gonna scan if my oven's firmware's integrity is okay? So far, the most visible damage caused by the Internet of Things has come from botnets.
Put simply, an IoT botnet is a cabal of hacked devices, all infected with the same malware and controlled in unison by a single hacker.
With a botnet, an assailant can program those hacked devices to launch a Distributed Denial of Service, or DDoS attack, that floods their victim with so much junk internet traffic it forces them offline.
A massive international cyberattack that took down some of the biggest websites on the internet! The sites were out for several hours this morning in the eastern part of the United States.
By the afternoon it had spread to Europe, and among the websites were Twitter, Amazon, Netflix, and Reddit.
This attack from September of 2016 was unleashed by hundreds of thousands of Internet of Things devices, hijacked to form the biggest botnet ever assembled.
The botnet, named Mirai, demonstrated the risks of IoT, but it wasn't the first time Mirai had surfaced.
A month earlier, the same IoT botnet had been used in a DDoS attack on tech reporter Brian Krebs as retribution for his exposing the identity of a pair of Israeli cyber criminals.
So the botnet that attacked you, what was in the zombie computer army that was directed your way? I think it was about 250,000 devices in the bot that hit my site.
The vast majority of those were digital video recorders, DVRs, and security cameras.
So just stuff taken over on the Internet of Things? Exactly.
The threat from poorly designed Internet of Things is probably the biggest cybersecurity threat we have facing us.
Most of these devices are running Linux, versions that were 10, 15 years old.
In an article from January of 2017, Krebs lays out how Mirai, the largest botnet of all time, was not the weapon of some powerful nation state, but was likely being controlled by a couple of teenage hackers in New Jersey.
People ask me, you know, what do you think are the chances that somebody's gonna take out the lights? You know, take out the power grid or something in a cyberwar? And I always say first time we see that happen, it's not gonna be a nation state.
It's gonna be some bored idiot savant kid in his parents' basement who gets access to some place he's not supposed to have access to and says, "I wonder what happens if I push this button?" Boom.
They have access to the same tools as nation states today, and they have fewer reasons not to use them.
The individuals involved in this type of activity were raised by the internet.
(LAUGHING) Which explains a lot.
These guys are starting to do criminal activity when they're 12, 13 and 14 years old.
These kids get drawn into these online communities.
They get involved in identity theft, they get involved in credit card theft.
And left to their own devices, I believe these forums generally turn people into sociopaths.
The Mirai botnet literally took out Twitter for a time, but these teenagers didn't build it just to take out Netflix.
So why did they create such a powerful cyberweapon? For that answer, I have to enter the dank subculture of the online video game Minecraft.
EN: I'm in the Bay Area looking into the threat posed by the millions of vulnerable Io devices coming online daily.
The dangers of the Internet of Things first made international headlines when the Mirai botnet took down a bunch of the web's biggest sites.
Launched by a couple of underage hackers, the attack proved teenagers in New Jersey can wield cyberweapons as powerful as nation states.
Funny enough though, that weapon wasn't made to take out websites.
It was initially made to force gamers offline.
So let me get this straight.
The thing that took out parts of the internet Yeah.
this massive DDoS attack Mm-hmm.
was essentially incubated to attack Minecraft servers? Yeah, that's basically its main purpose.
This is Robert Coelho.
At the mature age of 12, he and his friends built a Minecraft server, allowing them to play the popular video game together online.
What started as a hobby became a business, and soon strangers were paying to play Minecraft on Robert's network.
Then they started getting DDoSed by an early version of the Mirai botnet.
So you had these bad Minecraft servers which attacked other ones to gain a competitive edge in the market, right? So the ones basically that would be making lots of money, they'd shut down other ones that they were competing against so that all those players would then go over to the other server.
That's basically how it works, exactly.
The hackers directed the Mirai botnet to knock Robert's server offline.
Frustrated clients who couldn't access the game would leave Robert's server and sign on with the Mirai makers.
But Robert wasn't cool with that, so he started a new company that provided Minecraft servers protection against these attacks.
So you came up with a DDoS mitigation platform yourself? Right, so basically And how old were you when you did this? I was like 14 years old.
(LAUGHING) Yeah.
You were 14 years old when you started doing this? Yeah, definitely.
(LAUGHING) We needed to do it.
I was egging houses when I was 14.
I was not making DDoS mitigation Yeah.
And are you still doing this business? Yeah, we still sell the service today.
Like And you're raking in thousands? Yeah, it's very lucrative.
(LAUGHING) - And how old are you now? - I'm 19.
So the people going after you are the same age as you.
So it's kind of this adversarial, dark versus light, kinda weird Yeah, Minecraft's making a lot of really skilled programmers.
So the Internet of Things is making us vulnerable to teenage hackers using botnets, but are IoT botnets something governments would ever use? Like a lot of things in life, I turned to Google for the answer.
And to learn how big a threat DDoS really is, I'm meeting Damian Menscher, Google's expert on DDoS defense.
Now, coming from you and the perspective of Google, what are the major concerns surrounding DoS attacks and botnets and IoT? From Google's perspective, we're large enough that we think we can probably absorb everything, but we're very nervous about the impact this has on the internet as a whole.
You know, we want people to be able to trust that the internet is always there, that it's accessible.
We want small sites to be able to exist.
DoS attacks are largely used as a method of extortion.
It's a financial difficulty for a small site to survive.
And so we're a little bit concerned about the risk of DoS attacks disrupting the free flow of information on the internet.
I mean, I've heard that DoS attacks, a really great one could quote-unquote "take out the internet".
It's somewhat unlikely that a DoS attack will intentionally take out the internet.
That said, there can be accidents that take out portions of the internet.
Have you ever seen any evidence of nation states using DoS attacks? There was a case in this was probably 2012, where there was an attack called Brobot that used compromised servers, and it was largely used to attack US banks, so financial institutions in the US.
This was later attributed by the US government to the country of Iran, and probably other countries will realize that this is an opportunity for them and do the same.
What's the big fear for you going forward? IoT is sort of changing the game, because now you have even more devices, but they're not managed at all.
And this is affecting security on the internet.
You know, recently there was the case of an internet-connected dishwasher.
I was trying to figure out why would you need your dishwasher to be connected to the internet.
Like what benefit do you get from that? And this had some vulnerability.
Well, the user isn't going to realize that that even has an internet connection, or you know, this need to be patched.
And so it's never going to be updated.
I agree with Damian.
Do we really need Wi-Fi enabled dishwashers? Even so, the Internet of Things is exploding, and it's not going away.
And if the only thing we really need to worry about is botnets and DDoS attacks, it's manageable.
But it's not.
In fact, I found other IoT threats that are far more insidious and way more personal.
BEN: This is San Francisco, where I'm looking for answers on the threats posed by the Internet of Things.
So far, the highest profile victims of Io are major websites like Netflix and Twitter, taken offline by an Io botnet in a DDoS attack.
But the truth is you don't need to be a multi-billion dollar Silicone Valley goliath to fear the rise of IoT.
The issue with the whole IoT world and what's freaky and scary is that there's the great unknown out there.
Morgan Marquis-Boire is a cybersecurity legend, plain and simple.
He's also an expert in how acronym agencies around the world use cyberweapons.
Do you think IoT has made all of us more susceptible to nation state offensive actions? More vulnerable to anybody, right? I mean, you're maybe more vulnerable to angry kids running Minecraft servers.
Is the Internet of Things making us less secure? I mean, the answer is almost definitely.
But I guess a further QUESTION IS: do we care? You're probably not thinking about security when you're, "I want that bomb smart TV.
" You just wanna watch the game with your friends while you eat hot wings.
We all need to start thinking about security, because if you're going to have a smart lock on your front door, the reality is it's more than possible to hack and then physically enter your house.
Or to use those same Io locks as a virtual gateway into your network, then move to your mobile phone or computer or tablet and gain access to your entire life.
One of the things that personally worries me, right, is that it has become cheap enough to produce tiny computers to control all matter of devices, from Barbie dolls to televisions to watches to fitness monitors to light bulbs, um Teddy bears.
Teddy bears, right! I want as few remotely controllable listening devices around me in my house as possible! So with everything from like a teddy bear to my fridge is being produced in a way that is insecure, I mean, who's responsibility is it? Who is at fault here, or who should carry the liability, and that's a loaded word, right? 'Cause liability suggests law and money.
- Payouts.
- And payouts, right? And you know, the technology industry isn't that into the idea of self reliability, because you know, we'll stifle innovation.
It looks as though we might possibly be moving towards an era where we need someone to be culpable, you know, if the insecurity of devices causes widespread problems.
But it's really important that we fix the obvious problems in these technologies before they're widely deployed, because by the time I need that heart monitor, I I would like it to be incredibly difficult to mess with.
Morgan's not the only one who would like to see better security from the Internet of Things.
It's already a huge issue for US corporations losing hundreds of millions every year to IoT breaches.
Justin Fier used to work with US intelligence extensively.
Nowadays, he's a director for Darktrace, a security firm on the frontlines of IoT security.
So first thing, I ask a customer how many devices they expect to see on their network.
And 100% of the time, they underestimate it by almost 15 to 20%.
And of those underestimated devices, it's typically IoT devices.
All of the TVs in the conference rooms, the thermostats, the vending machines, et cetera.
So for instance, we have a client here had a fingerprint scanner.
And what happened was that scanner all of a sudden became internet exposed.
We then started to see unusual activity between the scanner and the database server that keeps all the fingerprints.
What kind of target was this? I can't say what industry they were in, but it was a highly secure facility.
And when it comes to IoT, you have anything that can be exploited and owned.
I mean, if there's a camera in something, can you own the camera and then Absolutely, yeah.
We actually And one of our clients found one of their video conferencing systems.
They turned the microphone on and recorded the calls for about two weeks.
And this was actually in the Board of Director's conference room.
So try the most sensitive discussions within the company.
I mean, how many more devices have just popped up on networks period? Hundreds of thousands of millions.
I mean, if you look at the current climate right now, venture capital is just injecting massive amounts of money into the IoT craze.
I'd say every connected device on your network is a potential doorway into your company and your network.
I think if you wanted to foreshadow and look into the future, we'll look at ransomware.
It's been wildly successful.
I kinda think that the two are gonna converge.
I think we're gonna move from the virtual world to the physical world, and that's kinda scary.
And eventually somebody's gonna find a way to lock you out of your house until you pay a ransom.
I think part of the problem in terms of making people understand just how insecure all these devices are is that they think that these wild examples aren't possible.
Right.
(LAUGHING) But they totally are.
I would say anything you've seen on TV is actually possible.
Having your company's secrets stolen or board meeting spied on is the antithesis of convenience promised by the Internet of Things.
Are there any fixes to these problems? You might think I'm headed to more tech whizzes in California for the solutions, but instead I found some of the answers in the pastures of Rhode Island.
BEN: Like it or not, the Internet of Things is making us all more connected.
And that also means that with the added convenience of Io comes serious risks.
What do you think should be done with all these devices lying around then? The fix is device manufacturers need to ensure that their devices have at least basic security, and also a way to automatically patch themselves so that if a security flaw is detected in the future, that they can fix that flaw.
We have a tremendous amount of hardware makers that are just pushing out hardware and letting somebody else design the software.
They tend to have very, very poorly written software powering the devices.
Brian Krebs and Damian Menscher's solution line with the manufacturers, but Justin Fier of Darktrace believes the answer is with machine learning and artificial intelligence, using algorithms to monitor the flow of data on your network.
So unfortunately, what we've been doing for the last 5 years is just not gonna work anymore, which is really why I think companies need to start adopting new technology.
So the only answer to all of this is really machine learning AI? Yeah, I mean, I hate saying it because it's a buzzword that's being thrown around quite a bit, but there is a lot of power there.
And that's why technology like machine learning is just absolutely required in order to detect these sort of things.
Justin Fier isn't the only one who thinks our future is in the hands of the machines.
Dan Geer is possibly the world's most respected voice in cybersecurity, period.
The Central Intelligence Agency tapped him to be the Head of Information Security for their tech firm, and he IDed the threat posed by the Internet of Things over a decade ago.
I met with him at his horse farm in Rhode Island, a setting as disconnected from the world of smart devices as you can pretty much imagine.
Having algorithms to protect you from algorithms is the future, I suspect.
I'd rather have an analog circuit breaker than a digital one.
In the year 2000, there was a big to-do about whether when the clock struck - Y2K.
- Y2K.
If when the clock struck midnight, would the elevators stop running, or the planes fall out of the sky or whatever? I remember quite vividly the head of the water department in New York said, "We don't have a problem.
We still have valves and we know where they are.
" Can imagine if it was a bad thing.
Somebody would be out climbing into a hole with a big-ass wrench and cranking a valve open or shut.
The ability to do that is I think a a prudent requirement for going over to a dependence on the Internet of Things.
We certainly will see it, I think, that on a day-to-day basis it will make life much better.
If it ever comes completely apart, it'll make life much worse.
Do you think it's the Internet of Too Many Damn Things at this point? Not yet.
It's gonna be.
If you want me to pick something that I view as somewhat scary is the vehicle-to-vehicle communication for the auto-driving cars that would allow them to stack up thicker on the highway.
And as such, you get a free-if you wanna call it that free expansion of roadway capacity.
Think about it, it's just irresistible.
Yet at the same time, that all works until the day it doesn't.
Nothing comes for free, so what is all this convenience costing us? I asked Dan what we're giving up as our world becomes more interconnected and complex.
Remember, the thing about complexity is that because risk is proportional to dependence, you're only at risk of things you depend on.
The thing about complexity is it hides dependencies.
If you put a device on a network, I think you have to make a choice, and I only think there are two alternatives.
One is it has to have a remote management interface so that it can be modified, turned off, upgraded, something.
That's one option.
It can be reached, you know where it is, you can fix it.
Or if it can't be reached or it can't be fixed, it can't live forever.
It has to have a finite lifetime.
So what you're saying is the IoT devices that are being built today, you think that they should be built in order to die at some point? It can't be unfixable and immortal.
The two of those together are anathema.
In our quest for convenience, we've created an insecure future, with teenage hackers just as dangerous as powerful nation states.
Dan Geer is right.
We need to rethink how these IoT devices are being built.
But without pressure, manufacturers will never be motivated to care about security.
The pressure can come from consumers, or it can come from government.
Either way, one thing's for SURE: until something changes, the risks to all of us are only going to get worse.
Corrected