Several Internet experts have been warning for years that the Internet was vulnerable to attack with pinch points like DNS services that translate URLs into machine addresses. There is a finite number of these even for the gargantuan Internet that is the largest man-made system every brought into existence to date. With increasingly powering software and commodity hardware, it is only a matter of time before massive volumes of data traffic can overcome even the large-scale resources of this world.
The Day arrived
The recent massive DDOS attack that took down several major websites is a concern for all in that overwhelming traffic disruption was in the order of Terabyte frequency that is unprecedented.
But more concerning was the report on the manner of co-oping many basic connected devices such as webcams and connected appliances that in hindsight were unsecured. The use of a malware injection into these devices remotely enabled them to send spurious requests simultaneously to the DNS services resulting in a massive Internet scare DDOS failure of services.
What are manufacturers and companies selling products that include these components doing to making IP-connected devices more secure. What should they be doing?
DDOS Denial of service attacks are by their very nature aggressive in that they typically overwhelm the service provider and indirectly the end user service by driving huge volumes of traffic to overload the service. Other types of denial of service attack such as ransom-ware use encryption to lock out your device and to only unlock this with payment.
Either way, the effect is the same, loss of time and productivity and in cases loss of data.
These attacks get through the technology layers that have not been protected properly, in some cases huge traffic bombardment will not necessarily be avoidable, but where malware has been planted like the recent massive attack reported using IOT devices this may require several responses.
- Firmware updates - Manufacturers are adding increased use of remote firmware updates to the software that controls the "Smart appliance" - these updates include security patches.
This is necessary to keep up-to-date and ahead of any new vulnerability created by new forms of cyber virus attacked discovered in the market
- Security strategy and components are built into the device - Rather than assuming human intervention and engineers add security layers, good design assumes every point in the network is unsecured and that every part needs encryption and robust authentication
- Secure access and Identity authentication - The design of the smart device needs secure message access controls. The recent Mitsubishi car hack reported the use secure gaps in the car's onboard Wi-Fi that linked to a cloud service. This meant the wi-fi could be easily intercepted and a hacker could open the car remotely. This type of design is very poor security management for identity authentication. This should be using encrypted Wi-Fi connection but most designed would prefer a secure GSMA Mobile connection that is encrypted at every stage of the request and reply from the smart device.
- Use of security testing agencies - to test and find flaws in your software and hardware before the hackers do. Many companies such as Microsoft and others are using this to crowdsource and serious gamify people to try to help find and fix flaws. In a world where "zero day" attacks arrive with no warning, you need to move into new models of protection that is leveraging the ecosystem of expertise.
What are the implications for companies that fail to secure them?
Reputation loss and brand impact but also could result in liability and being sued in court for personal loss of harm. In a recent case, I saw that Pacemakers and defibrillators (see link) could be tampered with through a debugging backdoor method to access the device. In this case, an agency that specialises in finding security flaws raise this but the consequences are clearly serious.
What is the industry doing to make the consumer IOT safer? What can it do?
Its still early days yet, several standards bodies are developing IOT reference models but they are advisory, not mandatory. Control of consumer services are covered by Terms and conditions but often the IOT world is more invasive and assumes that they have proper encryption i9n the device. This can be left to the network and cloud provider. There is an increase in awareness to use secure connections, secure passwords and to promote better security design in IOT devices, a point I saw ARM holdings CTO Mike Muller recently push home the need for security to be baked into chip design and systems and not an add-on.
Is IOT Safe in the future?
So what options are there for companies to protect themselves against such DDOS attacks, and for those companies building IOT devices? Nothing is foolproof, but these actions can be taken to establish contingencies to respond to such threats. We can not move the clock back with the systems and connected world and as with all new technological innovations, new protections and new legal frameworks will be needed.