By now, most of us have heard about the historic cyber-attack that took place on October 21st, 2016.  In a nutshell, hackers used a botnet to execute a massive Distributed Denial of Service (DDoS) attack against a technology company, Dyn, that provides a key part of the internet infrastructure. If you are interested in more detailed information about the recent DDoS attacks, the best source I have found is at KrebsonSecurity. They are experts in the field, and their website was the target of an identical DDoS attacked just days previously.

So, what’s the big deal you may ask, DDoS attacks have been happening for years?

This attack is different because the devices that were targeted by the malware and conscripted onto the attacking botnet were not traditional Personal Computers (PC’s), they were IoT devices, specifically CCTV cameras and digital video recorders (DVRs). There are three major reasons why this is significant, and in fact pretty darn scary.

  1.  The Scale of the IoT will Vastly Outnumber any Technology Trend the World has ever Experienced

Gartner projects that by 2020, in addition to 7.3 billion mobile devices (smartphones and tablets), there will be over 26 billion IoT endpoints connected to the internet. This will expand the potential attack surface for botnets by an order of magnitude. Dyn has reported that the October 21st attack involved millions of discrete IP addresses associated with a Mirai botnet. If an IoT botnet can inflict this kind of damage on Dyn, a rock-solid internet infrastructure company, imagine what kind of damage can tens of millions of devices can wreak against less well prepared targets?

  1. IoT Devices Are Really Not That Smart When It Comes to Security

The second issue is IoT device security. The reason hackers are not targeting PC’s anymore, is because it is much easier to attack IoT devices.  Malware, such as the Mirai virus, quickly scans the IPv4 address space for devices protected by default username/password combinations (i.e. admin/admin) and forces their way in. Once inside, the virus takes over the device, and the search cycle starts all over again. Eventually, the DDoS attack kicks off, triggered by some event or pre-programmed date, and potentially millions of botnet nodes bombard a target with Terabits of data per second.

The question of what to do about potentially hundreds of millions of unsecured IoT devices is a difficult one. There are a few options being put forth:

  • The first option, government regulation, is a non-starter. Standards are not yet defined, and technology is changing too fast. Manufacturers building IoT devices or smart “things” are in different jurisdictions around the world, and their products are entering the marketplace too quickly for government regulations to work.  
  • Another option, relying on market forces to take care of the problem, puts the onus directly on the home and business consumer. But are consumers smart enough to avoid unsecured IoT devices? And if they are, do they care enough to spend extra for security, or are they more motivated by a lower price? Enterprises evaluating IoT devices need to insist on security and manageability from their vendor. When they are ready to integrate IoT devices into their business, they must deploy device management to thoroughly control it and lock it down.
  • The last possible remedy is to depend on the device manufacturer to address the issues of their unsecured devices. This may involve a recall of affected products and refunds back to customers. More importantly, these companies will need to adopt a fundamental philosophy change — they need to design security into their IoT devices from the beginning, not try and patch it on after a security breach. Even so, criminals will continue to seek, find and exploit any vulnerabilities in their devices. The manufacturer needs to identify these problems, fix them and then force an update to the affected products quickly and ruthlessly.
  1. Managing the IoT Device Lifecycle

This leads us to the final issue that makes widespread IoT device hacks so scary — device lifecycle management. Even when an OEM is fully committed to endpoint security and aggressively patches their compromised devices, how long are they required to do it? Unfortunately, the answer is forever. They must maintain security on the device as long as there are units deployed in the field. If they don’t keep supporting it, the devices will become ‘zombies’ —unsupported, unsecure devices that will be hackable, exploitable and remain a security risk forever.

SOTI slays these zombie ‘things’ — We deliver a full lifecycle device management solution for IoT devices. For example, SOTI has large IoT OEM customers where we provide device discovery and enrollment, over-the-air configuration, firmware upgrades and device analytics. These are ‘must-have’ features for all connected IoT devices. IoT manufacturers need to be astute and forward thinking and must adopt full-lifecycle IoT management and security for all of their hardware. Enterprise IT that is considering large IoT device purchased needs to insist on security and manageability. Until full lifecycle device security is a top concern for all IoT OEMs, things are going to get worse, not better. Team up with SOTI, slay zombie ‘things’ and help make the internet a safer place.