Understanding Security And The Internet of Things
The DDoS attack that crippled such major sites as Twitter, Paypal, Netflix and Reddit last week shifted the world's attention to the so-called Internet of Things (IoT).
Security experts have discussed the IoT as a target for some time, but the coordinated assault against Dyn, one of several companies hosting the the Domain Name System (DNS), brought the dangers into clearer focus.
To better understand what we're dealing with, a deeper dive into the IoT is necessary. Here's a look at how it works, where the vulnerabilities are, and what can be done to improve the security behind the technology.
The IoT Defined
Much has been written about how the IoT works. One of the better explanations came from author Jacob Morgan in an article he wrote for Forbes.
"Simply put, this is the concept of basically connecting any device with an on and off switch to the Internet (and/or to each other). This includes everything from cellphones, coffee makers, washing machines, headphones, lamps, wearable devices and almost anything else you can think of. This also applies to components of machines, for example a jet engine of an airplane or the drill of an oil rig."
To demonstrate how pervasive this technology is becoming, Morgan used a Gartner statistic estimating 26 billion connected devices by 2020.
To understand the threat, let's review what happened Friday.
First, attackers exploited security weaknesses in devices making up part of the IoT -- particularly CCTV video cameras and digital video recorders -- and infected them with malware. Security firm Flashpoint believes attackers used Mirai, the very malware used to launch a record 620 Gpbs attack on the website of noted journalist Brian Krebs last month. Flashpoint Research Director Allison Nixon told Krebs in an interview that the botnet used in Friday’s attack involved hijacked IoT devices produced by XiongMai Technologies. Infecting and hijacking the devices was made easier late last month when Mirai's creator released the source code.
Krebs wrote, "Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users."
Devices infected with Mirai were pulled into a massive botnet aimed at Dyn. By attacking Dyn and disrupting the DNS of multiple sites, the culprits were able to grind them to a halt.
The big question now is how to stop future attacks like this. Unfortunately, since many IoT devices on the market today weren’t built with security in mind, they will remain easy prey. Friday's attack is probably just the beginning.
The best thing we can do is better educate the public on how the IoT works and how the technology can be exploited. From there, pressure from consumers and security companies must be directed at the device makers.
Now that we've had an attack that clarifies the risks, security firms will step up their efforts to better defend the IoT. In the meantime, consumers need to be mindful of the technology they're using and what kinds of security, if any, exist.