Rise of the IoT machines
The recent distributed denial-of-service attack on domain name service provider Dyn may have seemed like the end of the world for millions of Netflix, Twitter and Spotify users, but security professionals say the service disruption was merely a nuisance attack — although an eye opening one — compared to the potential damage that can be unleashed by billions of unsecure IoT devices.
“It’s really just the tip of the iceberg,” says Nicholas Evans, vice president and general manager within the Office of the CTO at Unisys, where he leads its worldwide applied innovation program. “You can grade the threat intensity as the IoT devices become more autonomous, like self-driving cars, or more controllable, like some of factory-type devices that actually manipulate the physical environment. That’s where the real threat is.”
“You can grade the threat intensity as the IoT devices become more autonomous, like some of factory-type devices that actually manipulate the physical environment. That’s where the real threat is,” Nicholas Evans, Unysis
Some 20.8 billion things could be connected to the Internet by 2020, according to research firm Gartner. That is about 5.5 million devices added every day, fuelled by more affordable and ubiquitous sensors, processing power and bandwidth. Also by 2020, more than half of major new business processes and systems will incorporate some element of the IoT, according to Gartner.
The Dyn attack brought glaring attention to the potential danger of having billions of devices connected to the internet with little or no cybersecurity protections. The DDoS attack used malware called Mirai to infect tens of millions of internet-connected devices found in businesses and homes to disrupt service at many popular sites.
Gigamon security consultant Justin Harvey blames the device manufacturers for the Dyn DDoS attack, but he also acknowledges that most ISPs could do a better job with security.
“I’m critical of the IoT vendors who are rushing their products out there, because there is an IoT gold rush,” Harvey says. Cheap IoT devices have become even easier to produce as hardware manufacturers develop inexpensive devices that run Linux and can perform many home monitoring functions such as controlling a thermostat. Those vendors “are focused more on rushing to market and not with security. [As a result] they’re shipping an insecure product with absolutely no oversight or consequences if and when it goes bad. Their view is that it’s up to the customer to secure those machines or change passwords.”
Indeed, one of the main problems compounding the situation is that security is often an afterthought, usually bolted onto solutions once issues arise, Evans says. IT security experts and IT managers have been calling for security to be built into device designs for decades, just as they had in the past for a long line of technology innovations ranging from the Web, to mobility and cloud computing, and now IoT.
Some security pros believe that Congress should get involved to develop regulations and oversight over device manufacturing. “If something happens, and your device is being used by a nation state, whether part of a million devices or just one, are you liable? Is Your ISP liable? Your manufacturer? Congress needs to put out regulations and guidelines for these manufacturers,” Harvey says.
On the ISP side, Harvey takes issue with today’s DNS architecture. “I don’t understand why ISPs and other organisations that provide internet access are not putting in a more geographically diverse DNS system,” he says, adding that he is not familiar with Dyn’s specific architecture. “DNS by nature is supposed to be fault tolerant” with two IP addresses assigned to a single device, for instance, but oftentimes both IP addresses are reconciled to the same data centre, he says. With today’s DDoS threats, “Why do we have an architecture where you can target one ISP and take down half of the internet for the US?”
For enterprises using IoT solutions, the security puzzle is complex. Any one IoT solution that an enterprise plugs in could involve 10 or more partners in the ecosystem, including the application layer, devices, gateways, communication and analytics pieces, Evans says. “Any weak link in the chain is where the cybercriminals can get in” and manipulate devices, he adds.