We Need a Standard for IoT Security

Before we build the future, we need to make sure it’s secure.

Halloween came early this October as an army of zombified IoT bots took down major websites from Netflix to Slack to Amazon. Real life poltergeist, or a ghost in the machine? In case you haven’t heard, here’s a rundown of what happened.

On Friday, October 21st, 2016, major DNS (domain name system) provider DYN was the victim of a massive DDoS (distributed denial of service) attack that brought down dozens of major apps and websites. A DDoS attack involves malicious actors taking control of an army of compromised devices (usually computers) and using them to overwhelm target website servers with traffic, essentially shutting them down.

The number of major sites that were taken down as a result of the recent attack is staggering. Since DYN has been called the backbone of the internet, many enormously popular sites were unavailable (at least from the East Coast U.S.). Just look at the list from Wikipedia.

How did the hackers pull this off? That’s the scary part. The DDoS attacks were completed using thousands of security cameras, webcams, DVRs, and other devices that make up the IoT (internet of things). A recently released malware known as Mirai was used to hijack this army of “smart things.”

Most devices ship to market with default usernames like “admin,” passwords like “password,” and other severely-lacking security protocols. This made it easy for the attackers to seize control of millions of them. That’s a crippling influx of website traffic originating from devices as innocuous as a nanny cam.

The barrage lasted two hours across three waves of attacks until DYN was able to restore service. But even these short outages resulted in untold amounts of lost revenue for a slew of major companies.

This incident reveals two things:

  • The IoT is not currently secure
  • We need a standard for future security

As it stands, the devices we use that connect to the internet are designed, built, manufactured, assembled, and shipped from multiple companies in multiple parts of the world with different standards and practices. A webcam sitting on my desk in Tallahassee may have been built using Korean and Chinese parts, assembled in Mexico, and sold online from a vendor in Europe. This supply chain leaves a lot of room for vulnerability.
webcam_grayscale
Millions of webcams, DVRs, and other IoT devices were hijacked in one of the largest DDoS attacks in history.
 
One Chinese manufacturing company, Hangzhou Xiongmai Technology, has admitted some blame, saying that may of the products it ships have been infected with malware due to insecure practices. Mirai, the software released on an underground forum, doesn’t need to use any hardcore hacking techniques; it simply brute-forces these insecure devices using a bank of username/password combinations that has proven extremely effective.
 
Currently, there is simply no good way to figure out how many devices have been compromised, or how we can start cleaning up the mess. When it comes it IoT, there’s a chance we may be moving too fast for our own good. In other words, there are millions of devices already in use that may or may not be bots, and there is very little we can do about them.

So what can we do?

Much of the damage is already done. With so many vulnerable internet connected things out there, our best bet may just be to set standards to prevent future abuse. That means getting a lot stricter about how things connect to the internet. Failsafes need to be built into the IoT to prevent future DDoSing, but there’s no easy way to regulate that.

Solutions exist, like mandatory password changes and secure VPN use in connected devices, but it’s difficult to get every manufacturer on board with these measures. Unless the world can agree on a single open-source security measure for all devices, it might fall on governments to enforce IoT security. Then, it takes every world government to agree on a standard. The unfettered growth of the IoT has put us all in an extremely tricky situation.

Since we can’t exactly halt the sale of every potentially vulnerable device on the market, and we can’t recall all of the infected devices, we’re left with a lot to lose and not too much we can do about it. Millions of vulnerable devices are already plugged in and ready to be hacked, and thousands more are unboxed every day.

So as we dream of our IoT-powered, ultra-connected, data-everywhere future, we need to make sure that the devices connected to the internet are safe and secure. What happens when the same types of attacks target driverless cars or other safety-critical technologies? What happens when our personal information, stored by health-tech and Fitbit-style devices, is up for grabs?

It isn’t hard to imagine what types of mischief could be possible, and it’s certainly frightening to think about. This might be a situation where our best bet is to slow down and figure it out. But at the rate that IoT devices are being designed, manufactured, and sold, this will be very difficult to do.

As bad as it was, October’s attack was also a much-needed wake up call. The world of tech needs to agree on a standard for security for IoT.