A new approach to connected device security is long overdue.
A massive wave of distributed denial-of-service (DDoS) attacks executed against security researchers and hosting companies has captured headlines over the past few weeks.
For example, OVH was targeted by two concurrent DDoS attacks at a combined bandwidth of almost 1 terabit per second, with one attack peaking at 799Gbps. According to reports, the attacks centered on Minecraft servers hosted by the company and originated from a botnet comprised of 145,607 hacked digital video recorders and IP cameras.
Meanwhile, cybersecurity journalist Brian Krebs’ website was overwhelmed by a tsunami of a DDoS attack that hit at a rate of 620Gbps, forcing Akamai to temporarily suspend service. In a blog post describing the cyber assault, Krebs said the attack had likely been conducted with the help of a botnet that enslaved a significant number of compromised IoT devices, including routers, IP cameras and digital video recorders (DVRs).
As a recent study by Symantec confirms, malware targeting the Internet of Things has matured considerably, with the number of attacks focusing on IoT devices “multiplying” over the past year. The report also notes that lackluster security on many IoT devices makes them soft and appealing targets for attackers. This is because embedded devices rarely receive any notable firmware updates and are only replaced upon reaching the end of their respective lifecycles, which may be considerable. To make matters worse, victims may not even know their connected devices have been infected.
It is therefore important for consumers to be aware of the very real threat posed by insecure IoT devices, including connected appliances, routers, IP cameras and digital video recorders. As more and more devices go online, the specter of nefarious attackers maliciously exploiting hapless victims looms ever larger. Of course, the overall effectiveness of a DDoS attack ultimately depends on the amount of IoT devices participating in any given DDoS campaign. Vulnerable IoT endpoints clearly provide attackers with the scalability needed to launch effective DDoS attacks.
It is unfortunate, though perhaps not surprising, that IoT security continues to be treated as an afterthought rather than a primary design parameter. However, unlike PCs and other mobile devices such as tablets or smartphones, serious or even critical vulnerabilities are very rarely addressed with firmware updates by manufacturers in a timely manner, if at all.
As the recent DDoS attacks painfully illustrate, the industry can no longer afford to neglect IoT security. Rather, a new approach, designed from the ground up to provide security for connected devices, is obviously long overdue. One approach to achieving a safer IoT would see devices secured throughout their lifecycle from chip manufacture, to day-to-day deployment, to decommissioning. This can be accomplished with a silicon-based hardware root-of-trust that offers a range of robust security options for IoT devices, including secure connectivity between the IoT device and its cloud service.
It may also be time to seriously re-examine the current state of DDoS protection on the service side. One possible way of shoring up defenses against costly DDoS attacks would be to bolster cloud service security. This can be done by uniquely and cryptographically verifying each IoT device to determine if it is authorized to connect to a particular service. Devices that are not authenticated can be denied access to the service, which would, in turn, reduce the effectiveness (and damage) of a DDoS attack.