On Friday, a huge DDoS attack against Dyn DNS servers led to the majority of internet users in the U.S. east coast being shut off from major websites such as Twitter, Amazon, Spotify, Netflix and PayPal.
The culprit behind the attack was a huge botnet. Botnets are armies of zombie computers, vulnerable devices secretly compromised by hackers, which are silently doing the bidding of their masters, the botlords, without their true owners knowing about it.
While botnets and DDoS attacks are nothing new and have been around for a while, the advent and propagation of IoT devices has led to their chaotic growth. There are now millions of vulnerable IoT devices that are easier to access and even easier to hack than, say, computers and tablets that are packed with anti-virus software. That’s why IoT botnets are fast becoming a favorite for bot herders and a real threat for the cybersecurity industry. Put in another way, they are democratizing censorship by enabling any hacker with minimal resources to launch government-level DDoS attacks and bring down sites they don’t like.
This is sad news for the IoT industry. It is now evident more than ever that the IoT industry is in a mess, and it’s going to take more than individual efforts to fix it.
The problem, as I see it, is that all the parties that are directly—or indirectly—involved are either ignorant about security issues or have other priorities.
For their part, manufacturers are too focused on shipping feature-complete devices rather than creating secure and reliable products. After all, the IoT industry is in its gold rush era, and everyone is in a hurry to climb the bandwagon and grab a larger piece of the pie.
And that’s how security concerns take a backseat row in IoT development while timing and costs become prominent.
But why are the manufacturers getting away with their incompetence at securing IoT devices? Because others—namely consumers—couldn’t care less. As the manufacturers will tell you, customers don’t buy security, they buy functionality. They want something that works in an install-and-forget model and don’t want to be pestered with security procedures and practices such as password resets and software updates—and costs for things they can’t directly see with their eyes.
As for governments, they’re concerned about the security of IoT, but they’re not doing enough to regulate it and compel companies to vet their products for security and resilience against attack. The only novel and honest efforts we’ve seen so far include initiatives such as the IoT Security Foundation, but there’s only so much a single organization can do when it’s dealing with billions of potentially vulnerable devices and deaf ears that won’t listen to the voice of reason.
And here we are, almost on the brink of IoT devices outnumbering humans, and already devices of our own making are being used to deny us access to our most vital services and needs.
Friday’s spate of IoT-powered DDoS attacks should serve as a wake-up call, not only for IoT manufacturers, adopters and consumers, but for everyone. Many of the people who were affected by the attacks didn’t even know what IoT is.
So whether you care about IoT or not, it’s in your interest to see it secured.
And as much as I love IoT, I’m sad to see the industry destroying itself.
So what’s the solution? I like the thoughts shared by Bruce Schneier in this Vice Motherboard article, and I’d like to build on those to raise the following points, very concisely:
- Manufacturers should make security an inherent part of their development cycle. Security shouldn’t come as an afterthought but as an integral part of building any IoT or other connected device. And I’ve said this a million times.
- Consumers should take their own security more seriously. Our lives are becoming more connected than before. Internet services and resources are more vital to our daily tasks than any other time in history. So we should be more vigilant about the integrity of the devices that are being connected to the internet and hold their manufacturers to account for the security shortcomings. (Security developer Edward Robles has shared some interesting thoughts on how we should change our mindsets toward security in this guest post.)
- Governments must play a more active role in regulating and controlling IoT security. Standards must be set to make sure every single device that is shipped to the market and connected to the internet complies with a set of security standards and punish organizations that do not abide by the rules.
Of course, no single government can control the security of all the devices being connected to the internet. I’m thinking about a solution based on blockchain technology that will create a global answer to vetting IoT devices for security. I’ll write about it in the future.
What’s urgent is to have a concerted and unified effort to fix the messy state of IoT security. Today, we’re dealing with DDoS attack. Tomorrow, it could be something worse.
There’s no putting the genie back in the bottle. For better or for worse, IoT will transform our future. Let’s work together to make sure it’s going to be the former and not the latter.
How do you think we should deal with IoT security problems? Share in the comments section.