Why Cyber Security Experts Are So Worried About Malicious Toasters

"To say that it couldn't happen to us would be ridiculous."

Jason Porter gives off the confident vibe of someone who has been through tough situations and come out on the other side. That’s not surprising, given his former life as an Army tank officer. Last week, as internet users up and down the East Coast were collectively losing their minds over their inability to access Twitter, Netflix, the New York Times, Spotify, and dozens of other popular sites, Porter — Vice President in AT&T’s cybersecurity consulting arm — was trying to stay calm.

“I was in the office, on Friday, when it happened. My team came in and told me about the situation, he told Inverse this week. His first response was a “desire to learn more, to figure out what happened, understand if there’s a new type of attack.” Luckily, from Porter’s point of view, AT&T was not the target of the attack. That unfortunate honor went to a company called Dyn, which helps manage the flow of traffic online. AT&T doesn’t use Dyn’s services, Porter explains, so the attack didn’t “impact on our specific customer base, but obviously we might have services in some of those companies” that were affected. That means that in the digital world, an attack on one company is never just an attack on one company.

Brute force attacks, like the one that affected Dyn, are known as distributed denial of service (DDoS) attacks, and they’re on the rise. According to AT&T research, 73 percent of companies that responded to their global survey reported at least one DDoS issue in the past year.

Porter spoke to Inverse at the annual AT&T Cybersecurity Conference in New York City, which shines a light on what cybersecurity professionals are worried about on a day-to-day basis. The short answer is: they’re worried about exactly what happened on October 21. Though it is still unknown who carried out that attack, U.S. intelligence agencies don’t believe it was a state actor. Instead, they think it was a low-level hacker that bought the code that temporarily brought so many sites down through the vast unregulated digital marketplace on the dark web.

An internet-connected refrigerator.

Getty Images / David Becker

The malware used in the attack, called Mirai, is believed to have accessed hundreds of thousands of internet-connected devices most people don’t think about when they think about hacking. In this case, the hijacked devices were mostly CCTV cameras and DVRs, the vast majority of which were made by a Chinese manufacturer called Xiongmai Technologies. Along with internet-enabled refrigerators, thermostats, and a cornucopia of other consumer products, these devices make up the vast ecosystem known as the Internet of Things (IoT). Experts estimate that by 2020, the Internet of Things could contain as many as 38 billion units, many of which are phenomenally insecure and vulnerable to even low-skill hackers, largely because the devices use simple logins and passwords that can be easily guessed or broken.

Shortly after speaking with Inverse, Porter gave a presentation with fellow AT&T security official Brian Rexroad, who leads its “Threat Analytics” unit. Although Porter and Rexroad sometimes spoke in the opaque jargon of the corporate cybersecurity world, their underlying anxiety was clear. After making it clear that the investigation into last Friday’s attack was ongoing, Rexroad readily admitted that his organization could be next. “It would be irresponsible to make a pre-judgment without understanding the details of the attack, and to say ‘that couldn’t happen to us;’ that would be ridiculous.”

That level of worry, specifically around the Internet of Things, was a common refrain throughout the day-long event. “This is just the beginning,” said William O’Hern, Chief Security Officer at AT&T, talking about the recent DDoS attack.

“The Internet of Insecure Things”

O’Hern then sounded a darker note, suggesting that unnamed nation-states were creating IoT devices specifically for the purpose of exposing governments and companies to vulnerabilities. “We generally think of the Internet of Insecure Things,” O’Hern said in a morning presentation. “What I wanted to introduce today is the thought that maybe there’s something a little more sinister going on.” He calls it “The Internet of Trojanized Things,” and references a specific, again unnamed, “router that’s cheaply produced, very prominent, primarily in Asia. But it has a known backdoor built into it.” He added: “Perhaps there’s a deeper meaning to this.”

The pervasive worry about insecurity in the Internet of Things, whether deliberate or not — was not limited to AT&T executives.

“Hundreds of Thousands of Malicious Toasters”

Michael Coates, Twitter’s Chief Information Security Officer, addressed the massive attack in a Q&A following his presentation. Twitter was one of the sites brought down in the October DDoS attack, so for Coates the issue is of immediate concern. His description of the problems around IoT lays some of the blame on manufacturers who don’t have any incentive to create “secure toasters,” and adversaries can exploit default passwords and weaponize simple kitchen tools across the globe using botnets.

“Now they have hundreds of thousands of malicious toasters to do their bidding,” Coates said.

One additional complication is that “the owner doesn’t feel any pain,” he said. Criminal enterprises “are motivated by money, and they sell botnet rentals by the hour. They’re not incentivized to destroy their host. They’re incentivized to keep it alive, keep it uninterrupted, so it can keep making money.”

Over the course of the day, the fear of IoT devices became omnipresent. John Maddison, Senior Vice President at Fortinet, a cybersecurity firm, called the IoT-led October attack “a small preview of what’s to come.” A representative from the Department of Homeland Security named Hala Furst said, “essentially, the robots were used against us – Rosie, from The Jetsons, was enlisted to harm us.”

The good news, such as it is, is that most of the attacks carried out using IoT devices employ known vulnerabilities in the machine’s software. That means that simple steps – like forcing consumers to change factory passwords, or automatically patching flaws with regular software updates will go a long way in limiting many of the existing entry points in all of our Smart Refrigerators.

For Porter, the former tank officer turned cybersecurity expert, felt that although the problem can be daunting, it doesn’t have to be insurmountable. “By and large, the real concern hitting most of our customer base is focused on known threats,” Porter says. “Greater than 90 percent of the attacks that are carried out are leveraging known attacks, or variants of known attacks, with very well-defined defense mechanisms. And the biggest challenge is getting the general population to raise their security posture, and if you can protect against those known you’ve gone a long way toward protecting your environment.” In short: no more using Password123, and pretending like it’s going to stop anyone.

Notably absent from the entire day was one major player in the cyber world: the National Security Agency (NSA). For all the concern about hostile nation-states attempting to disrupt business in the United States, or compromise privacy, there was no attention paid to the NSA or other US government entities who operate in the cyber domain.

The morning of the conference, The Daily Beast reported that AT&T had built a custom search tool called Project Hemisphere — a secretive program run by AT&T that searches trillions of call records, and analyzes cellular data to determine where a target is located, with whom he speaks, and potentially why. AT&T reportedly earns millions of dollars a year in fees from government agencies who use Hemisphere, and appears to have gone much further in providing customer records than what is compelled by the law.

When asked about Project Hemisphere, Porter acknowledged he’d heard about the morning’s report, but hadn’t looked into it yet. A media handler then immediately jumped in and offered to provide Inverse with a statement on the matter. Hours later, the handler emailed the same boilerplate that had been sent to The Daily Beast.