New technology is notoriously buggy. Back in 1993, Intel’s new Pentium chip turned out to not be very good at math, fouling up certain division problems past the eighth decimal point. NASA lost an incredibly expensive probe back in 1998 because someone forgot to convert pound-seconds into newton-seconds, causing the $125 million space vehicle to crash into Mars’ atmosphere too fast. Then Apple had a little SNAFU of its own back in 2012, when its Maps app led us down nonexistent roads or insisted we drive off nonexistent bridges.
Last month there was an even more epic failure, which wasn’t any one company’s fault so much as an across-the-board lack of foresight.
On October 21st, New Hampshire-based Dyn came under a massive distributed denial-of-service (DDOS) attack, taking down a host of sites like Netflix, Twitter and the New York Times. Unless you’re an IT professional there’s no need to worry if you’ve never heard of Dyn, but it provides domain registration services and basically acts as the internet’s phone book. When you type in a web address, your browser basically checks it against Dyn’s directory to make sure it’s going to the right place.
While Dyn is generally pretty fast – there’s a barely perceptible moment between hitting enter on that web address and the site popping up – on that day thousands, and maybe even millions (there’s no real way of knowing) of address checks starting coming in every second. The sources of those requests were pretty familiar; your printer, your security camera, baby monitors; pretty much anything that was “connected” could have been complicit in the attack. You can thank the Internet of Things (IoT) for that.
IoT-enabled devices make our lives much easier in a lot of ways, allowing us to keep track of what’s going on at home when we’re away or control our environments to just to name a couple. Because the benefit of a connected device has to be weighed against factors like size, ease of use and power consumption, security can be lacking and, if it is there, either rudimentary or impossible to use.
This particular attack appears to have been accomplished using a bit of malware called Mirai. Mirai basically scans the internet for connected devices that use 62 common default username and password combinations and, when it finds them, takes them over. That creates a “botnet” of compromised devices, which then bend to the hackers will.
There’s understandably a push to improve the security of IoT devices but, again, there’s a fine line to walk. For security to improve, the technology itself really needs to improve. While you could say it’s too little, too late – with billions of devices already connected and more being added every day – I’m not sure that’s something to quibble about. Anything is better than nothing.
Of course where there’s a problem, especially in technology, you can be pretty certain there is someone looking for a solution. I started looking for companies that are working on IoT security and, while I didn’t come up with any “pure plays” that are publicly traded, I came across about a dozen startups. For instance there’s SecureRF in Connecticut, that is developing a cryptographic technology to protect devices that communicate by radio frequency. Or Rubicon in San Francisco which is working on two-way authentication between IoT devices and the cloud. Then there’s Boston-based PWNIE Express which aims to protect pretty much everything IoT.
None of them are quite ready for the Big Board yet, but even before the October attack they had collectively attracted tens of millions of dollars in venture capital funding. Now that the vulnerability has been clearly demonstrated, I definitely expect the pace of investment to pick up and, eventually, those VCs are going to want to cash in.
Needless to say, I’m going to be watching for IoT security IPOs and I don’t think it’s going to be a very long wait.