Blog

The following article was written before the DDoS attack that took down most internet services across US, Canada and Europe. There is mounting evidence that the attack was caused by malware-infected IoT devices used exactly as described in the article below. Clearly, the time has come to demand that IoT manufacturers build adequate security into the products they release into the world.

The Internet of Things is poised to become an enormous $11 trillion-dollar industry, if it doesn’t become a liability for enterprises and consumers alike. Protecting consumer data remains a top priority for developers as they establish this giant industry, but there is a new issue on the table that might be plaguing devices already without our knowledge: botnets for DDoS attacks.

There is a risk that devices may be hacked to turn the owner into an unwitting contributor to distributed denial-of-service attacks, rather than for personal data and unwanted access. By overloading servers with artificial traffic, the attacks cause online services to cave under the sheer volume without the aggressors ever needing to infiltrate an otherwise secure system.

We have seen several in the last few months, including attacks on OVH and Brian Krebs. The growing frequency of these attacks suggests that it will become an endemic problem for the Internet of Things if left unchecked. That would crush consumer trust right out of the gate in what could be the most revolutionary technology of the century.

Commandeering devices for DDoS attacks is possible largely due to the poorly implemented security on many devices with embedded operating systems. A recent study from Symantec indicates that hackers have already begun doing this, taking advantage of non-PC Internet-enabled devices that lack the sophisticated security features of desktops and laptops.

The implications for danger are clear: what if online elections were thwarted this way? News outlets could be silenced. Online retailers and their employees could take huge financial hits. Internet-enabled city traffic systems would become nightmares without appropriate security measures in place. There is a clear incentive to prevent our own devices from turning on us, or someone else.

These are not just phones and tablets, as many of us have come to think about “connected devices.” The malware behind these attacks infected routers and modems, security cameras, and even DVRs. How can we solve that at every step in the process?

The solution would appear to lie in device-level security, although simply beefing up devices may start a security arms race that would cause too much strain. As InfoWorld pointed out, patching devices constantly would require code signing, which in turn would require more powerful CPUs in devices that, arguably, do not need them. That would require more thorough patching efforts in turn, creating an endless cycle of rising costs for everyone.

There are two steps we can take immediately without committing to that arms race. Many of those non-PC devices are accessed by the malware using the device’s default password, making it critical for consumers to change their passwords upon installation. That’s the first step that consumers can take to protect their devices. The industry must also put the onus on manufacturers to create unique consumer passwords in a systematic fashion, like product keys. This will immediately deny much of the existing malware access to a large portion of the devices currently in the field.

There may not be a silver-bullet solution at the moment, but it is clear that many of these devices could have been protected against this kind of malicious conscription with better standard security controls introduced at the design stage. Trust underpins all connectivity, and the IoT industry must earn it before scaling up to revolutionize our everyday lives.