Privacy SOS

How the FBI may soon use internet meltdowns like Friday’s as an excuse to hack YOUR devices

Debates about internet security and the limits of state power just got a lot more interesting. Unless you don’t use the internet, you likely know that on Friday a number of major websites were inaccessible for hours. These sites were victims of a distributed denial of service (DDOS) attack targeting a DNS company called Dyn. The attack targeted not the temporarily blocked websites themselves (like Twitter and the New York Times), but rather the service (the DNS) that facilitates translations between human to computer language and allows users to connect to websites. It wasn’t that Twitter.com was down, per se, but rather that people typing twitter.com into their web browsers couldn’t find the site. The attack worked by infecting more than ten million internet connected devices like surveillance cameras with a virus called Marai—what’s known as a ‘botnet’—and using those devices to send millions of requests to Dyn’s servers, until the system overloaded and buckled. 

There are two important policy takeaways every internet user should know about this attack. First: the government warns us about cyber attacks all the time, but has not required companies to use the kind of basic security measures that might have stopped Friday’s outage. Second: having punted on legislation that would have required companies to keep good security practices, the government is now on the verge of obtaining the power to hack victims of attacks like that carried out Friday. Yes, you read that right: In place of mandating companies practice good security, the feds are plotting to get new authority to use weak security practices as a justification for mass government hacking

In short: The government appears to be planning for an insecure internet full of spies. Intentionally.

To explain some of the backstory here, Fight for the Future, an internet freedom advocacy organization allied with the ACLU, tweeted this excellent thread over the weekend. I’ve storified it below, because it does a fantastic job explaining how the government, with a little cover from big business, retreated from legislation that would have forced companies to build more secure products and systems, and instead opted for a bill that would massively expand government surveillance powers.

As if that wasn’t bad enough, we’re now faced with another threat: unless congress acts before December 2016, the FBI will soon gain the authority to obtain ‘hacking warrants’ enabling its agents to hack into the devices of victims of botnet attacks, even though experts say that’s not at all necessary. The new power—ushered in via a change to Rule 41 of the Federal Rules of Criminal Procedure and never debated let alone approved by congress—would also give the FBI the ability to hack people simply because they use privacy tools like VPNs and Tor.

Tell congress to pass the Stop Mass Hacking Act now.

And if you want to keep botnets like Marai out of your internet connected devices, there’s one simple thing you can do immediately: change their default passwords. Not sure how? Just google the name of the device and the phrase ‘change default password’. Here are instructions for how to change the default password on a Comcast router. Do it now!

© 2017 ACLU of Massachusetts.