From connected vehicles and vending machines to smart meters and wearables. The Internet of (connected) things (IoT) is promising to change our daily life as we know it, making it easier, better and more efficient. The recent massive Distributed Denial of Service (DDoS) attack, however, disrupted some of the most popular Internet services like Twitter and AirBnB. Carried out using an army of IoT botnets, the attack raised alarm bells with service providers. It proved that besides the smart and cool experiences IoT devices can deliver, there is a big security risk that cannot be overlooked.
Connected stuff is easy to hack. In many cases, such devices are affordable and available off-the-shelf for a cybercriminal to research vulnerabilities. Most of them lack even minimum security to protect them from being compromised. And since it only takes a single vulnerable device to impact popular online services by turning millions of other devices into an army of botnets that can carry out Tera DDoS attacks on vital DNS infrastructure, the potential risk to IoT service providers is significant. No wonder Kaspersky calls the IoT ‘The Internet of Threats’.
The primary culprit behind the recent DDoS attack on one of the largest Managed DNS infrastructure providers, Dyn, was a surveillance camera. Its weak security settings made it vulnerable to an incursion that allowed hackers to turn it into a destructive botnet. In addition, the means to exploit the vulnerability, the Mirai malware source code, was out there and available to any hacker who wished to use it. If that was not enough, the cameras were closed systems that did not allow them to be remotely controlled or have their software upgraded to eliminate the vulnerability, as is often done for PCs. This ultimately required its Chinese manufacturer, to initiate a massive and costly recall of all vulnerable cameras. A more reasonable approach would have been to have a network-based security solution that unifies all security functions needed to control the devices and provides a simple, scalable way to protect the network, allowing also for its future growth through additional potentially vulnerable IoT devices.
The thing about IoT devices is that most of them obtain narrowly defined functions and standard communication protocols so they can be easily validated by policy enforcement and web filtering solutions. With the right solution in place, the validation of device functions through the network access and the validation of the data from/to the device decreases the attack surface and eliminates the chances of the end-point device becoming a vehicle driven by the attacker. Such a solution is most often also capable of blocking the command and control communication, in case the device still gets infected with malware. This prevents it from being remotely controlled and/or used as a botnet in a DDoS attack. By controlling IoT devices this way, service providers can better protect their network.
Once a DDoS attack has been carried out, service providers need a solution to mitigate its impact. Another known recent DDoS cyberattack witnessed two months ago on KrebsOnSecurity.com reached 640 Gigs, which clearly shows that any such a security solution has to be scalable to high capacity and sustain the protection over time. Although there are more than a few solutions out there that can mitigate DDoS attacks, it is also important how they do it. A lot of DDoS attacks are ‘zero day’ attacks characterized by new traffic patterns that have never been seen before, requiring analytics based solutions which can detect traffic outliers in real-time and allow blocking the attack. However, mitigating a DNS flood like the one witnessed last week on Dyn by blocking an entire IP subnet will most likely jeopardize the service to a large number of legitimate users trying to access the online service. An ideal solution should be capable of managing the traffic during a DDoS attack in a way that selectively slows down the attack while still allowing legitimate users to access the service and maintain their Quality of Experience (QoE).
So while the security risk of the IoT is of concern, it provides a great opportunity for service providers to increase their revenue and build their secure brand, while protecting their networks. All they need to do is take the driver’s seat with the right security solution in place and steer the IoT transformation.