The carrot and stick strategy to IoT security
Paul Egan, Principal Consultant, blogs for IoTUK about last week’s DDoS attack and the ‘carrot and stick’ strategy that would make both IoT manufacturers and distributors liable for future attacks.
When the unexpected happens it’s always best to draw breath and pause before reacting. With the still news still developing that the Internet is being “hacked” or at least being interrupted for some time through a Distributed Denial of Service attack (DDoS) there are reports that many of the compromised devices were not just PC and laptops but IoT devices. While you can debate if a connected CCTV camera is a genuine IoT device the impact of large numbers of infield devices with known vulnerabilities being used in such a way is very worrying.
The reports so far, which are not confirmed, are pointing to a particular vendor of camera subsystems whose tech is fitted into many remotely controlled cameras. It would appear that once identified these devices can be reprogrammed to very simply send many thousands of HTTP requests every second to many targets. Multiply this up by the thousands if not millions of compromised devices and it can quickly give you the scale necessary to cause widespread disruption.
Michael DeCesare, who wrote a guest post in techcrunch.com, sums up the situation very clearly: “Why is this significant? The ability to enslave these video cameras has made it easier and far cheaper to create botnets at a scale that the world has never seen before. If someone wants to launch a DDoS attack, they no longer have to purchase a botnet—they can create their own using a program that was dumped on the internet just a few weeks ago”.
In November last year I wrote a short blog post to capture my “predictions” for IoT in 2016. While some are yet surface, we do have 2 months left of the year, sadly, my number 1 prediction appears to have come true last week. Here is a reminder:
And finally at number one for 2016 …
‘1. Security: Security will become the biggest single IoT subject, as well as its greatest opportunity for commercial success. It will also be the biggest risk for enterprise failure. Expect a very public and very large scale hack of an IoT application or device. Think the Fiat-Jeep hack but on a larger scale.’
And therein lies the rub. We are back to square one with IoT security and some fundamental problems such as using identical security credentials for every device or storing keys locally in plain text. This is a gift for hackers.
To underscore the problem lets not forget that disrupting the Internet has real world impact. While losing Snapchat and Spotify may have impacted people’s social lives; a loss of banking services, transport systems, health care services and energy distribution could cause massive societal problems. Service interruption for one of these is inconvenient but if all of these were attacked simultaneously, the consequences could be much catastrophic.
So what do we do? I say we adopt a carrot and stick strategy.
On the stick side we introduce regulation that makes manufacturers AND distributors financially liable for these kinds of attacks by supplying devices with known vulnerabilities. The Amazon recall of hover boards is a case where the reputational risk of continuing to supply them is greater than the financial reward.
For carrots we can use consumer power; where they are encouraged to only use devices with security accreditation, which is the approach being proposed by the IoT Security Foundation (IoTSF). By adopting the IoTSF security best practice methodology it should become easier for consumers to make better informed decisions when selecting IoT devices and services as these products will have already met an agreed set of security metrics.
Ideally, manufacturers would plug the obvious security holes during the production process rather than in reaction to an attack. By developing of open IoT standards, an online service could be rolled out that would encourage users to change the default security settings before all product features become available.
To help stay safe, I would advise that you look at your connected devices and please change the default settings. While it’s not guaranteed to stop this kind of hack it does at least slow down the bad guys.
I will be posting my 2017 predictions at the end of November so you’ll have to wait and see what’s in store for next IoT year.