Screenshot of Amazon's Echo Look from the company's video promo.
Photo: Amazon/YouTube
Photo: Amazon/YouTube

Why your next Echo command should be: 'Disconnect me from the internet'

Dr. Herbert Lin, one of the nation's pre-eminent thinkers on cybersecurity policy, shuns the internet-connected devices that fill some American homes. 

He'll have nothing to do with "smart" refrigerators, hands-free home speakers he can call by name, intelligent thermostats and the like. 

"People say to me, 'How can you have a doctorate in physics from MIT and not trust in technology?' And I look at them and say, 'How can I have a doctorate in physics from MIT and trust technology?'" Lin said. 

» RELATED: Creepy or useful? Amazon’s new Echo Look selfie camera wants to help you get dressed

Part of what he distrusts is the "internet of things," and the ease with which hackers can penetrate "smart" devices with digital worms and shanghai them into massive robotic networks to launch crippling digital attacks or generate ever greater quantities of spam. 

It is a mistrust based on mathematics. Internet-enabled devices are exploding in number. Gartner, a research giant in technology, says the devices will climb from 6.4 billion at the end of last year to 25 billion by 2020. Such growth sharply augments the power of hidden robotic networks, or botnets. 

Now, an unseen battle unfolds. Weaponized digital worms are entering the scene and infecting masses of devices that obediently await instructions from a remote master to spring to action, possibly a new botnet attack. 

» RELATED: How to Tell If You've Been Hacked (& What to Do About It)

The threat from botnets is so serious that FBI Director James Comey brought them up at a Senate hearing last week, saying the "zombie armies" created from internet devices can do tremendous harm. 

"Last month, the FBI - working with our partners, with the Spanish national police - took down a botnet called the Kelihos botnet and locked up the Russian hacker behind that botnet," Comey said. "He's now in jail in Spain, and the good people's computers who had been lashed to that zombie army have now been freed from it." 

Further botnet attacks are inevitable. 

"The next one could be just seconds or minutes from happening again," said J. Kevin Reid, a former FBI agent who leads the national security portfolio at KeyLogic, a Morgantown, W.Va., firm that offers consulting services to the federal intelligence community. 

Many consumers don't realize that internet-enabled devices are unregulated and insecure - simpleton digital recruits in potential malicious armies. 

A botnet already made headlines once. Last Oct. 21, a botnet slowed internet activity to a crawl along the Atlantic seaboard. A hacker using a malicious worm dubbed Mirai - Japanese for "the future" - took over thousands of internet-connected security cameras and other seemingly innocuous devices and ordered them to fire relentless digital "pings" at a New Hampshire company, Dyn, that oversees part of the backbone of the internet. Dyn was overwhelmed, and popular sites such as Twitter and The New York Times were temporarily inaccessible. 

Now a new worm, dubbed Hajime - Japanese for "beginning" - is spreading. 

The Moscow-based Kaspersky Lab estimated in late April that the Hajime worm had already penetrated 300,000 devices worldwide and could rally them into a botnet army at a moment's notice. 

Initial forensics reports suggested that the Hajime worm might be the creation of a "white hat" hacker working to thwart future attacks by Mirai botnets. Hajime leaves behind a message that says in part: "Just a white hat, securing some systems." But even if Hajime is presently a force for good, protecting devices from Mirai infection, how long will that last? Some analysts have doubts. 

"While infected with Hajime, the vulnerable devices are protected from known Mirai attacks," a principal security researcher for Kaspersky Lab, Igor Soumenkov, said in an email. He added, however, that "Hajime's spreading methods are malicious in nature" and the worm "may go rogue at any time." 

That aspect of the internet of things, or IoT, gives jitters to Lin, the MIT-educated cybersecurity scholar at Stanford University's Center for International Security and Cooperation who largely shuns internet-enabled devices. 

"I don't want something working on my system when I don't know what it is," Lin said, adding that installing even protective worms is not cool. 

Even dolls for children can be forced into rogue botnets, Reid said. 

"People would be like, 'What? My child's toy?' Well, toys are pretty fancy nowadays," Reid said. "They are going after camcorders and DVD players and other things with this particular intrusion technique." 

In practical terms, that means hackers who control botnets can extort businesses, threatening to overwhelm targets with traffic unless they pay. They can also amplify the power of those sending spam. 

Already, up to 90 percent of the email traffic on the internet is spam, although internet service providers do a pretty good job of clearing it out with spam filters, Lin said, letting only a fraction through. 

"Let's say you increase that fraction by a factor of 10, or 100, which is what these IoT botnets threaten to do," Lin said. "I assure you at that point you will get a lot more spam in your email inbox. Let's say you get 100 times as much spam as you get now. It might make your email account unusable." 


(c)2017 McClatchy Washington Bureau

Buying on impulse through a voice recognition system like Google Home or Amazon Echo could be costing you more.

Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.

Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.