Latest cyber-attack shows the Internet of Things is still a Wild West

A Chinese electronics firm has recalled several models of webcams that were used as part of last week’s Internet of Things hacking spree that took down sites including Reddit, Twitter and Spotify.

In what is referred to as a distributed denial of service attack (DDoS) – hackers took advantage of devices where the password is built right into the firmware, making it difficult or impossible for the average person to change – and used those devices to flood popular sites with traffic, overwhelming them and locking out legitimate users.

The key target of the attack was Manchester, New Hampshire-based Dyn Inc., an Internet performance management company, a switchboard of sorts for sites like Spotify and Twitter.

No one has come forward to claim responsibility and the authorities have yet to figure out who is responsible for the cyber attack, which effected parts of Canada, the U.S. and Europe. But Xionmai, which makes parts for surveillance cameras and recorders, wrote on its blog that is would be recalling 10,000 or so of its earlier products, bolster password functions and pass along a patch for products made before April last year.

The company’s statement accompanying the recall was cryptic at best, with Xiongmai saying that the main catalyst for the hack was users not changing their default passwords.

“Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too,” the company wrote on its blog according to Gizmodo.

But Dr. Ann Cavoukian, the current executive director of Ryerson University’s Privacy and Big Data Institute and the former Information and Privacy Commissioner for Ontario says the company’s response points to a wider issue surrounding security practices.

“Of course the user should put their own password,” says Dr. Cavoukian. “But you can’t expect the consumer to be the one who is going to carry the bulk of the security-related protection for their data – companies have to generate that themselves.”

Failing to do so could cost companies with inadequate protection of consumer data to hemorrhage customers. Especially given that the threats to Internet of Things devices is growing. She points to a report by well-known cryptographer Bruce Schneier, who noted an increase in DDOS attacks.

“Over the past year or two, someone has been probing the defences of the companies that run critical pieces of the Internet,” he wrote. “These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don’t know who is doing this, but it feels like a large nation state. China or Russia would be my first guesses.”

The challenge, Dr. Cavoukian admits, is there’s not a lot consumers can do short of changing their passwords often and knowing the threats before they opt-in to any Internet of Things service or product.

“This is the harm of the early development of this stuff – nothing is nailed down in terms of privacy and security,” she says. “Don’t think smart devices are smart, they’re not, and until we get this right, until security and privacy is embedded into these devices, until you, the consumer, are in control of what information is going to whom – beware of all things connected.”