Juha Saarinen: Switch off the internet of totally insecure things

When the DNS dies, so does the web which is the internet for the vast majority of people. Photo / 123RF

If you were online over the weekend, you might have noticed that people in the United States and Europe complained that some sites were gone from the internet.

Some of the most popular sites in the world, like the BBC, The Guardian, CNN, Twitter, AirBnB, SoundCloud, and many others were affected by an attack that went beyond anything else in the past, and which silenced a large part of the world wide web.

It was another massive denial of service attack that bombarded internet servers with large amounts of junk queries and responses that tied up network capacity and system resources that caused the outage.

This time the attack was different as it focused on Dyn, a company that runs managed domain name system (DNS) services for large sites around the world.

DNS is the internet directory that translates a numeric network address like 203.99.67.67 to nzherald.co.nz.

When the DNS dies, so does the web which is the internet for the vast majority of people.

Last weekend's attack succeeded in just that, and it's made everyone sit up and take notice - which is a good thing.

The losses incurred by the companies whose sites were unavailable during the attack are considerable, an estimated US$110 million.

We don't yet know who unleashed the torrent of traffic towards Dyn. Julian Assange took credit for inspiring it as Wikileaks fans thought the he had been assassinated (he hadn't; the Ecuadorean embassy in London changed the wifi password to disable his internet access).

Mr. Assange is still alive and WikiLeaks is still publishing. We ask supporters to stop taking down the US internet. You proved your point. pic.twitter.com/XVch196xyL

— WikiLeaks (@wikileaks) October 21, 2016

If that's true, then it would be comical that his own supporters shot Assange in the foot by taking out his publishing platform, the internet, in the country that he wants to influence the most, the United States.

What we do know is that the attackers used two botnets of networked devices infected with the Mirai and Bashlight malware. The devices are mostly closed circuit surveillance cameras that have essentially no security so that just about anyone can commandeer the small computer systems inside them.

Worse, there's no practical way to patch or secure the cameras and many other of the hundreds of millions of devices left wide open to anyone on the internet.

There's no excuse for Internet of Things device makers and vendors to ignore security.

The evidence is in now: this lackadaisical approach to security is dangerous, and will cause damage and financial loss.

There's no excuse for Internet of Things device makers and vendors to ignore security. Apple was able to make its HomeKit IoT platform encrypted and secure to keep bad people out of them.

Other makers must be made to follow Apple's example, because the number of networked devices will continue to rise sharply. If nothing's done, these become weapons that criminals can use to disrupt, destroy and blackmail the internet and its users with. At a minimum, vendors should be made to show that their devices can survive being connected to the internet, through a government certification scheme.

Unfortunately, we won't have switched off the Internet of Totally Insecure Things before Assange loses his internet access again and goes quiet, so expect more large-scale outages in the near future.