A version of this post originally appeared in the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter.
Our worst hacking fears came true on Friday as criminals deployed millions of everyday objects—internet-connected cameras, printers, and so on—to launch an attack on a critical part of the Internet. The attack was a success, crippling the websites of major companies like Amazon, Netflix and Twitter for hours at a time.
We now have a handle on what happened: Hackers used publicly available source code to assemble a bot-net army of internet-enabled devices, and then directed those devices to send massive waves of junk requests to a DNS provider. The attack meant the provider, New Hampshire based Dyn, could not carry out its job of acting as a switchboard for the internet, and consumers could no longer reach popular websites.
The compromised devices, which make up the bot-net army, are still out there and unpatched, which means other attacks are likely on the way. This makes it a good time to ask who’s to blame for this debacle. We can start, of course, by fingering the hackers themselves, who appear to have unleashed the attack with profit motives in mind.
But we can also assign much of the blame to the companies whose sloppy security standards made the attack possible:
Wondering which IoT device types are part of the Mirai botnet causing trouble today? @briankrebs has the list: https://t.co/bETefDMa4Y
— Eric Skinner (@EricSkinner) October 22, 2016
https://twitter.com/mims/status/789628910728163328
A list of alleged culprits, compiled by security researcher Brian Krebs, include familiar names like Panasonic, Samsung and Xerox printers. The names also include lesser known makers of routers and cameras, which reportedly made up the bulk of the bot-net army.
It’s a good bet these companies are scrambling to update their product lines in a way that requires users to change the passwords (widespread use of default passwords are the main reason the devices got hacked in the first place). But it’s not fair to lay the entire blame squarely on the companies. Part of the responsibility should also lie with lawmakers and regulators, who have failed to create a safety system to account for the Internet-of-Things era we are now living in.
Finally, it’s time for consumers to acknowledge they have a role in the attack too. By failing to secure the internet-connected devices, they are endangering not just themselves but the rest of the Internet as well. No one thinks it’s acceptable for consumers to be clueless when they operate products like automobiles or propane tanks—so why is it okay for them to be careless with routers and security cameras?
