Fix crap Internet of Things security, booms Internet daddy Cerf
Don't just fling unsecured open source OSes at world+dog, father of the Internet begs
Vint Cerf, one of the fathers of the internet, has weighed in on Internet of Things security, warning that a Mirai botnet-style incident could happen again unless vendors start taking responsibility for their goods.
“The biggest worry I have is that people building [IoT] devices will grab a piece of open source software or operating system and just jam it into the device and send it out into the wild without giving adequate thought and effort to securing the system and providing convenient user access to those devices,” Cerf told the Association for Computing Machinery (ACM) as part of a panel to celebrate 50 years of the Turing Award.
Such fears have been expressed time and again by both security and IoT advocates. Cerf highlighted the impact of the Mirai botnet, which was used in a DDoS attack that leveraged millions of unsecured IoT devices to attack DNS servers operated by US outfit Dyn.
The result was that large chunks of the internet disappeared from view. Dyn’s DNS services were used by a number of large and popular sites including Github, Netflix and Reddit.
“We saw the Dyn attacks coming as a result of a lot of webcams being hacked, and the hacking was trivial,” Cerf, nowadays employed by Google as its “chief Internet evangelist”, continued. “Either they had no access control or they had a well-known and publicized username and password. So, I consider that kind of thing to be irresponsible. And companies looking to make their brands attractive are going to have to pay a lot more attention to security and privacy and access control if their users are going to endorse their products.”
Cerf also balked at taking the mickey out of the fad for adding internet connectivity to anything and everything (such as toothbrushes), saying: “I’ve sort of given up ridiculing Internet enabling of things because I’ve discovered that, even if it sounds crazy on the surface, there may actually be something useful arising.”
He added: “Let’s just stick with internet enabling of everything, but on the other side of that, let’s make sure that when we do that, we think our way through the security, safety and reliability of the systems.” ®