The company is blaming a password problem, but there is a deeper issue. Devices like cameras should not be capable of being reprogrammed in this way. There is no need for a webcam to incorporate a general-purpose computer, but in particular, a webcam has no need for the ability to disguise its identity — an essential component of an effective DDoS.
In general, the proposed Internet of Things (IoT) will be possible only after these fundamental security issues can be sorted out. It doesn’t take much imagination to consider what a camera or microphone might do if it is capable of being reprogrammed over the network, but think beyond that. Reprogrammed lights could self-destruct in a relatively short time, leaving people in the dark. A coffee maker could be reprogrammed to explode and start a building fire, a danger that looms larger if you imagine this happening in a million apartments in the same city on the same night. A loudspeaker reprogrammed could plant subliminal suggestions — or it could make the loudest sound you can imagine, causing hearing loss and possibly even earthquake-like structural damage.
Excluding these unintended capabilities is simple enough in theory. It involves pulling out the general-purpose computer built into the devices, substituting a special-purpose controller that has an intentionally limited set of capabilities chosen with safety in mind. Yes, that requires more design work, but the current approach of relying on good programming practices, firewalls, and passwords clearly is not enough.
