And so it begins. Last week we experienced the first security attack publicly and widely attribute to the Internet of Things (IoT). This day has been a long time in coming. It’s really far from the first IoT security breech mind you, but this is the first one that affected a wide group of people and received major press as an Internet of Things attack. Fortunately, this attack didn’t do a lot of ‘damage’. Nobody was hurt, though many were inconvenienced when the likes of Twitter, Facebook, etc. were unavailable. People didn’t lose credit card numbers, probably our number one security concern. The problem with this specific attack was not the attack itself, but what it portends for the future of IoT and security.
Security camera installation together with an infrared illuminator. (Source: Ervins Strauhmanis via Flickr)
Let’s quickly review what we know. The attack was launched on Dyn, an internet infrastructure company that provides services to some of the internet’s top sites, including Twitter, Amazon.com, Spotify and Netflix. Experts believe that this was caused, in part, by the Mirai bot, which scours the Web for IoT devices protected by factory-default usernames and passwords and then uses the devices to attack specific online targets. It is believed that this attack was accomplished with hacked IoT devices, such as CCTV video cameras and digital video recorders. Big contributors to the success of this attack were people using default admin credentials (i.e., never changed the defaults) as well as out of date firmware. Both of these issues are quite common with our home devices. With IoT getting a lot of visibility these days, obviously these types of attacks don’t inspire confidence in our ability to secure everything that connects to the internet.
For most of us, this attack was an inconvenience. For the vendors, it was painful and expensive. The bigger issue however, is that this is just the beginning. IoT is in its infancy, both in the consumer space as well as in industrial applications. Philosophically, IoT brings us to a point where everything is connected. Unless everything is secured, there are going to be breaches—ones that make this attack look elementary. As we move to a more connected world, especially in the industrial sectors, our greatest fears could be realized. One day we won’t be concerned with missing credit cards or DDoS attacks, because someone or some entity will access a valve in a gas production facility and open a gas valve up to the world. Someone or some entity will take over or turn something critical off in an airplane or commuter train. Those of us that work in the Internet of Things space talk about security every day. I fear that if we don’t shift the talk to action and develop real controls now, our lack of focus on end-to-end security in IoT installations could lead to utter disaster.
So what do we do? My recommendations are simple, though not easy.
First, designers and manufacturers must incorporate security concerns during the initial design phase–even start-ups that might be short on money. Investors need to ask their IoT portfolio companies, Are your devices both electronically secure and tamper resistant? Is your software locked down? Is your firmware securely updateable? And companies need to be able to reassure individual purchasers of their IoT devices that the products are ‘secure’.
Second, those implementing these secure devices need to make sure their networking and communications channels are secure themselves. Specifically, their network and connectivity points have to be protected from points North and South, as well as points East and West. Anything that is connected must be secured before being brought onto the network.
Third, we need to make sure that the responsibility of security is everyone’s. It’s everyone’s job in the entire IoT chain to be responsible for their point of connection and beyond. Device manufacturers, Fog computing and datacenter solutions—and all the connectivity points in between—must be secured individually, and as an entire system.
These are just a few tips from a very long list of real technological issues. I believe the world of IoT offers incredible opportunities for human advancement. It also has a dark shadow side. We can do amazing things with connected devices that will change the world, but connecting all these devices also lays us open to a myriad of potential dangers. We must take these dangers seriously, and even more so, we must take our responsibility to ensure IoT security seriously.