October 30, 2016 Comments Off on Why the recent Internet of Things (IoT) attack is just the beginning
A few days ago we witnessed a new type of distributed denial of service (DDoS) incident. Unlike previous botnet attacks that enlisted compromised computers, this one corralled assorted unprotected devices like Internet-ready webcams, DVRs, and baby monitors to flood Domain Name System (DNS) servers, and thereby seriously degrade the Internet for hours. I’ll leave the explanation of the mechanics of this incident to more qualified commentators, but I do want to weigh in on why I think these types of events are very hard to combat and why I’m very skeptical about the hype around the Internet of Things (IoT).
We all (well, many of us) know how important it is to keep our computers and software patched and up-to-date; most people also get why firewalls are essential. But consider these facts about IoT devices:
- They’re being created for just about every industry. This diversity means that it’s much harder for the entire universe of vendors to agree on common security standards: defining safeguards for a heart pump is a little different than for a Web-ready washing machine. I’ve served on my share of standards committees: to say that they move slowly is an understatement!
- They have really short development cycles. IoT is shaping up to be a brutally competitive landscape. The winners will be those vendors that deliver solutions to market quickly. Designing and building strong security safeguards takes time, and time is money. The end result is that device protection takes a back seat to market pressures.
- There’s limited space for security software. Margins are very thin on hardware devices: security-focused onboard storage space adds costs that aren’t directly related to functionality.
- They frequently rely on APIs for communication. I’ve blogged about API security in the past. Suffice it to say that it’s a rare API that’s locked down properly.
- New models are always coming on the market. Here’s the really scary part: even if vendors do start getting their security act together, it will be years before today’s highly insecure devices get retired. Meanwhile, they’ll be standing by for their next set of DDoS orders.