• United States




How to stop the Army of Things

Oct 27, 20164 mins

Private businesses must lead the offensive against the ‘Army of Things’ by demanding the elimination of password based security.

camera bots
Credit: Thinkstock

On Oct. 21 2016, a severe distributed denial-of-service (DDoS) attack that affected Amazon, Etsy, GitHub, Spotify, Twitter, New York Times, Vox, Airbnb, Netflix, Reddit, and many others employed a massive botnet made up of hundreds of thousands of internet connected devices infected with malware called Mirai. The device army exploited default and weak passwords to direct many gigabytes of data to targeted servers.

One can make the case that much of the blame for this and other recent DDoS attacks lies with Internet of Things (IoT) device and networking equipment manufacturers. In the rush to bring new devices to market, manufacturers too often leave security as an afterthought, opening huge gaps that hackers will eventually exploit. Builders of consumer-oriented IoT devices and remote control smartphone apps are especially at fault because there should never be any expectation that consumers have the incumbent technical knowledge to properly configure IoT devices and home routers.

[ BACKGROUND: An IoT bonnet was partly behind Friday’s massive DDoS attack ]

Importantly, virtually all consumer oriented IoT devices and router systems use passwords as the primary user authentication mechanism for configuration. In the bright light of the recent DDoS attacks, every technology professional in companies victimized by DDoS attacks should recognize the IoT security situation for what it is: technological catastrophe.

Technology professionals managing security for large companies should know how to properly configure network routers and IoT devices. This is not true of the millions of consumers around the world installing mass market routers and IoT devices in their homes. While large companies may not think weaknesses in consumer IoT products are something they should worry about, larger companies are more attractive targets for DDoS attackers.

Small and midsize businesses are also at risk but many hackers want to make political or social statements as we saw in the Oct. 21 attacks. Such attacks affect consumers only to the extent service providers such as Amazon or Netflix are affected.  It should be noted that consumers will not be sympathetic to an argument casting Amazon and Netflix as victims. That these companies’ websites are inaccessible is all that concerns the consumer.

There is an overarching solution – elimination of passwords as an IoT and networking device authentication method. Targets of DDoS attacks, regulators, and legislatures hold the keys to ensuring that this solution is implemented.

The best approach will come from the private sector. Companies targeted by DDoS attacks should demand that networking equipment and IoT device manufacturers eliminate password authentication and improve other aspects of security. This can be very effective because manufacturers of consumer-oriented IoT and networking devices produce similar products for business customers.

Products built for businesses typically have higher profit margins so business customer dollars are inherently more powerful. There is little doubt that manufacturers will resist, claiming that customers will not accept change or pay more for better security. A counterargument is that manufacturers lack imagination. They can continue to offer current technologies as they introduce more secure devices, raising prices on older systems higher than newer, more secure alternatives. The less secure systems will gradually fade away. Business customers can also demand discounts when buying enterprise networking and IoT equipment on the basis that less secure consumer-oriented products raise cybersecurity liability for all businesses.

Another solution is ‘soft regulation’ where regulators become much more vocal in moving device manufacturers toward more secure authentication methods and simpler configuration procedures. Government agencies can help the regulators by mandating that government buyers acquire only those devices meeting a much higher security standard. Governments are part of the preferred market forces approach.

The least desirable solution comes from the legislative hammer. Governments could employ ‘hard regulation’ through new legislation. Lawmakers might justify such action by raising the argument that DDoS attacks can affect infrastructure critical to national security.

Until serious pressure is applied on IoT device manufacturers by every company in the crosshairs of DDoS attackers, exploding numbers of IoT devices will become soldiers in an ever more devastating hacker army.


Jim Thackston is a computer security and engineering consultant based in Tampa Bay, Florida with more than 25 years of experience in software architecture, software engineering, network security, and cybercrime detection and mitigation.

In 2005, Jim set out to understand one of the most difficult problems facing the internet economy: online identity verification. Over the past 11 years, he has studied the problem from every perspective, focusing initially on the problem of knowing who is really ‘sitting’ at an online poker table.

To prove the weaknesses in poker identity verification, he built a full-featured system demonstrating how internet poker could be used to launder money in a way that is virtually undetectable. A briefing to senior FBI officials in May 2013 led to a July 2013 US Senate hearing on the money laundering threat posed by internet gambling. In December, 2013, Jim submitted testimony to the US House of Representatives Energy and Commerce Committee, Subcommittee on Commerce, Manufacturing, and Trade.

Jim took the insights gained from the intensive online gambling study and applied them to the much more expansive problem of online identity verification in all internet and intranet activity. He has studied the problem as it relates to corporate and government intranets, online banking, and cryptocurrencies and other blockchain applications.

Jim is the inventor of record for a number of patents important to cloud computing, manufacturing, renewable energy, and computer security. Most notable are 2 patents that anticipated aspects of cloud computing by 10 years.

His computer security expertise is reinforced by academic and career achievements.

In 1989, Jim graduated from the University of South Florida with a Bachelor of Science degree in mechanical engineering. After college, he served in the 101st Airborne Division and served in Saudi Arabia and Iraq during operations Desert Shield and Desert Storm.

After leaving active duty, Jim earned a Master of Science degree in aerospace engineering from the Georgia Institute of Technology. While attending Georgia Tech, Jim interned as a turbomachinery engineer in the Propulsion Laboratory at NASA’s Marshall Space Flight Center. He continued as a full-time engineer after his studies at Georgia Tech concluded in 1994. While at Marshall, he designed turbine components for both experimental and non-experimental liquid oxygen and kerosene fuel turbopumps.

It was during his NASA service that Jim became a skilled software engineer. He applied these skills at Eglin Air Force Base helping build a combat mission planning system used by the US Air Force and other US military services.

Jim has worked as a consultant ever since designing and building software systems in the manufacturing, energy, telecommunications, financial, and government sectors.

The opinions expressed in this blog are those of Jim Thackston and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.