How a Dorm Room Minecraft Scam Brought Down the Internet

Garrett M. Graff, Wired:

The most dramatic cybersecurity story of 2016 came to a quiet conclusion Friday in an Anchorage courtroom, as three young American computer savants pleaded guilty to masterminding an unprecedented botnet — powered by unsecured internet-of-things devices like security cameras and wireless routers — that unleashed sweeping attacks on key internet services around the globe last fall. What drove them wasn’t anarchist politics or shadowy ties to a nation-state. It was Minecraft.

Minecraft may have been the motive and three college students may have been the perpetrators, but the reason this attack was so successful was because so many internet-of-things device manufacturers don’t prioritize security, and nobody really checks to make sure any of these products have been tested for trivial loopholes.

We’re used to extension cords being certified that they won’t burst into flames when you plug them in. Microwaves and cellphones get tested by regulatory bodies to ensure that they won’t fry living organisms. We expect our cars to be built to withstand moderate collisions. These processes don’t prevent all problems, but they do help maintain standards and provide third-party verification that the manufacturer did a good job.

But there are millions and millions of devices out there — including medical devices — connected to the same network that people use to play Minecraft, and there’s no certification process in place or agreed-upon standards outside of industry practices. In the United States, there’s a division of the Department of Homeland Security called US-CERT that monitors devices and software for vulnerabilities, but only after they go on sale. The FDA is perhaps at the forefront of keeping devices safe: they monitor consumer medical devices and maintain software standards.

I’m not necessarily arguing that every device and software update ought to go through an extensive pentesting process, but there is a reasonable argument to be made that internet-of-things devices should be subject to a little more scrutiny. The industry is currently not doing a good enough job regulating itself, and their failures can have global effects. Some sort of standards body probably would slow down the introduction of these products, but is the possibility of a global attack on the internet’s infrastructure a reasonable price to pay for bringing a device to the market a little bit faster?