The market for connected devices has exploded in recent years, leading to billions of Internet of Things (IoT) devices being deployed around the globe. To be competitive, and to get to market quickly, many device manufacturers used off-the-shelf technologies without really considering ‘security'. Ease of use, function and price were the primary considerations and we have all seen the result. This urgency to have all devices be ‘connected' has created a huge opportunity for cybercriminals. There are literally billions of devices out there that can be readily compromised and subsumed into weaponized botnets.
In 2016 we all witnessed the rise of IoT botnets as tens of thousands of CCTV cameras and DVRs were compromised and used to launch massive DDoS attacks, some above 500Gbps. Arbor has tracked the activity of many of these IoT botnets and these large attacks are just the tip of the iceberg, more than 11,000 DDoS attacks were launched by IoT botnets between November '16 and February '17.
IoT devices have enough processing power to drive significant DDoS attack traffic, as well as decent connectivity on unmonitored networks. This has led to IoT botnets, and their weaponization, driving the scale, complexity and frequency of DDoS attacks across the internet.
So what can we as an industry do to combat the security risks of the IoT as the number of exploitable devices continues to increase?
Build Security into the Buying Decision
The best way to combat the IoT security threat is by starting to build security into the initial buying decision. The first consideration should be value versus risk. Does the refrigerator really need to be ‘connected'? What value does a ‘connected' device bring, compared to the additional security risk it represents? We need to appreciate that every connected device is a computer with an operating system and applications that potentially have vulnerabilities. Organizations and consumers alike must evaluate whether the cost of educating themselves about these vulnerabilities, so they can manage them, outweighs the value of having that device ‘connected'.
If this first test is passed, then the built-in security of that IoT device must be the next key buying criteria. Up to now, there has been very little consideration for security when buying IoT devices, and this needs to change. Buyers must evaluate the manufacturer's track record. Have vulnerabilities previously been found in their products? If so, did they quickly push patches or fixes to their customers?
Unfortunately, device manufacturers will only be motivated to start adding better security functionality to their products as it starts to become part of the customer's buying decision. Luckily, building in better security will become easier for vendors as the technology within IoT devices matures, and some industry standards may accelerate this, such as those proposed by the Thread Group and Open Connectivity Foundation.
Protect Existing Devices
Until IoT devices becomes more secure there are things that can be done to better protect them from being compromised. This includes changing the default manufacturer password, disabling default services that aren't needed, and generally exercising sensible security practices. Isolating IoT devices is also important. Many don't require access to the entire network or the internet, so it is good practice to only allow them to connect to the infrastructure they need. For example, smart lights and printers don't need open access to the internet to do their job. When purchasing new connected devices, consumers should also prioritize those that can be upgraded and are from manufacturers known for releasing patches for new vulnerabilities. And finally, identifying any unusual behavior is critical, which is why in the business environment having the ability to collect data from the network segments where IoT devices are connected is so important.
Consider New ISP Services
Internet service providers (ISPs) and content delivery networks (CDNs) are also beginning to offer services designed to help protect their customers' IoT devices. These services route traffic to and from the IoT device via the providers' protection service, which allows them to intercept exploits and virtually patch vulnerabilities. It's important to understand, however, that although these services may indeed prevent a device from being compromised, they also come with their own risks. First, they introduce a single point of failure for all communications to the IoT device, and second, privacy becomes an issue as the service provider can monitor all data generated and consumed by the device.
Implement a DDoS Protection Strategy
From a business perspective we also need to address threats coming from today's IoT botnets – such as DDoS attacks. Many businesses are now reliant on internet services for day-to-day business continuity, and that reliance is increasing as we continue to adopt cloud, SaaS, mobility, etc. However, DDoS has been around for years, and is a well understood and manageable threat. Organizations can defend against DDoS attacks by using a best-practice, multilayer DDoS protection strategy. This strategy includes both on-premise and cloud or ISP-based components. On-premise solutions allow businesses to immediately detect and mitigate attacks before there is any service impact. However, on-premise solutions can't handle the increasingly common, large attacks that can saturate internet connectivity. This is where the cloud or ISP-based service steps in – to deal with the higher magnitude attacks.
The IoT is transforming our world. It is an enabling technology that offers many use-cases and benefits, and the use-cases will only broaden as technology matures. Gartner predicted there were 6.4 billion connected things worldwide in 2016, up 30 percent from 2015, and predicts 20.8 billion by 2020. Given this, we need to be smart about our smart devices as we head into the future, by acknowledging and managing the risks that come with all those great benefits.