attacked the internet infrastructure run by US firm Dyn, knocking out services including Paypal, Twitter and Netflix. More accurately, the attacked involved potentially hundreds of thousands of surveillance cameras and digital video recorders connected to the internet that had been weaponised by the hackers. By Ansgar Koene and Derek McAuley They were infected with malicious software that turned them into a “botnet”, a network of devices controlled by an outside force. This was then used to flood Dyn’s infrastructure with activity, grinding it to a halt. These so-called distributed denial of service (DDOS) attacks are a common technique among cybercriminals. But this was only the second recorded time a DDOS attack involved what’s known as Internet of Things devices – devices other than PCs and mobiles that are connected to the internet. Such a high-profile attack demonstrates just how serious the security flaws are in the tech industry’s current approach to the Internet of Things. Without a significant change in the way these devices are designed and used, we can expect to see many more instances of internet-enabled cameras, TVs and even kettles used for nefarious purposes. They are perhaps even becoming part of a hacking service for hire. Until now, concerns about the Internet of Things have largely focused on privacy. Hackers have shown they can gain control of internet-enabled security cameras and even baby monitors to spy on people’s homes. Even if you cover up your webcam when you’re not using it – as it seems Facebook founder Mark Zuckerberg does – devices like internet-enabled TVs and thermostats could also allow criminals or governments to monitor your movements. Shutterstock There has been an (unspoken) attitude in many parts of the tech industry that because users often ignored privacy settings on social media showed they didn’t really care about the issue. But with the weaponising of Internet of Things devices, there is a growing possibility that manufacturers could be held to account for security vulnerabilities through lawsuits and damages claims brought by corporate victims of DDOS attacks. One problem is that, unlike PCs or smartphones, many of these devices are meant to perform their tasks without drawing attention to the fact they are really computers. They’re designed to be turned on and left to do their job with minimal human interaction. Yet one of the reasons people often run security checks and discover malicious software on their PCs is because they start to run more slowly or with minor errors. Internet of Things users are less likely to notice similar problems and have fewer options for determining what the problems is if they do. Similarly, most Internet of Things devices are not able to automatically update their core software, something that is commonplace and expected of PC operating systems and smartphones. Instead the devices require manual updates often with quite complex procedures. So it is common for their security software never to be updated.