Experts: Everyday internet-ready devices susceptible to cyberattacks
A recent massive computer hacking incident that blocked traffic to many popular online sites offered just a taste of how bad future attacks could be, a top national cybersecurity expert said Wednesday in Pittsburgh.
Computer criminals turned ordinary Internet-connected devices into a weapon, called a denial of service attack, that prevented users from reaching popular sites such as Twitter, CNN and Spotify, among many others.
With the so-called “Internet of things,” in which basic items such as lightbulbs, refrigerators and coffeemakers are online, hackers have so many more opportunities for attacking victims, said Matt LaVigna, interim president and CEO of the National Cyber-Forensics & Training Alliance. The Second Avenue nonprofit brings together government and corporate computer security experts to track online threats.
“Nobody's thinking about security, and this is a big wake-up call,” LaVigna said. “Even the actors that claimed to have perpetrated it have said that this is just a taste of what's possible, which is true. It's absolutely just a taste. There are so many things connected to the Internet now that, one, don't need to be, and that, two, are manufactured and nobody is speaking up to say there should be security in this.”
LaVigna joined two federal cybersecurity officials from Pittsburgh for a panel discussion hosted by the World Affairs Council of Pittsburgh at The Rivers Club, Downtown. Moderated by Andrew Conte, the panelists addressed a wide variety of computer security topics but spent several minutes talking about the most-recent high-profile incident.
Unidentified computer hackers Friday targeted Dyn, a New Hampshire company that manages a key piece of internet infrastructure known as a DNS server. The server takes words users submit to access the internet, such as www.triblive.com , and connects them to the website's real, numeric address.
A Chinese maker of surveillance cameras has since acknowledged that its devices and technology had been corrupted to launch the attack. The problem with having so many ordinary devices online is that few people will take the time to update software against vulnerabilities as they are discovered, said Keith Mularski, supervisory special agent in charge of the cyber squad at the FBI's Pittsburgh field office.
A similar problem exists with computers still using out-of-date Microsoft operating systems, but it could become exasperated with household items as they begin to age.
“With your (Internet-ready) refrigerator, who's taking the time right now to update something that's 20 years old?” he said. “So that's going to make it vulnerable, and that's going to make it an issue as we're going forward that absolutely is going to need to be addressed.”
If even a refrigerator gets hacked, that's a federal crime, said James Kitchen, a national security cyber specialist in the office of the U.S. attorney for Western Pennsylvania. That idea once seemed absurd, but federal prosecutors have a broad definition of what constitutes a computer, and it includes many everyday gadgets, he said.
“What this case illustrates is that just because it doesn't have a screen and a keyboard, that doesn't mean it's not a computer,” Kitchen said. “As far as whether it's your (fitness tracker) or whether it's your refrigerator, those are all computers, and they all connect back to the Internet, and because they do that, they function in many of the same ways.”
From a security perspective, the growing volume of machines creates a challenge, Kitchen said.
But from an investigative standpoint, they all link back to some central controlling system and could leave important clues.
Ultimately, the federal government might need to regulate computer safety requirements for devices sold in the United States, LaVigna said. No one is calling for that kind of intervention yet because the pain hasn't gotten bad enough, he added.
“Nobody is standing up and saying, ‘Enough is enough. We've lost enough money or companies have lost enough money. All of our information has been hacked. Stop,' ” LaVigna said. “Nobody's saying that yet because it hasn't gotten bad enough. That means the train wreck is still out there yet to come to make us say that.”
Andrew Conte is a Tribune-Review contributing writer and the director of the Center for Media Innovation at Point Park University.