A DDoS (distributed denial-of-service) attack on Domain Name System (DNS) provider Dyn last week brought Internet of Things cybersecurity under intense scrutiny.
Launched last Friday, the DDoS attack targeted Dyn's DNS servers — the pathway by which Internet domain names travel as IP addresses to specific websites. A disruption in a website's DNS means browsers and other web-enabled systems will be unable to locate the server that hosts a website's content. Dyn isn't a household name, but it is one of the largest DNS providers in the world, playing host to Amazon, Netflix, Twitter, and many other popular sites. A disruption to its servers meant their cache of sites were down all at the same time for a significant portion of their US and European clients.
What does this have to do with IoT? The attack on Dyn is now credited to the New World Hackers, a group that has claimed on Twitter that Friday's DDoS attack was a dry run for an attack on Russia's Kremlin. Infecting an organised network of connected devices with a malware software called Mirai that is designed to seek out unprotected/low-protected IoT devices, the hackers used a large botnet to throw more than a 1 trillion bits of data per second at Dyn's servers, effectively choking the system. These IoT devices included smart appliances such as refrigerators, dishwashers, toasters, as well as home security systems, automated thermostats and security cameras — many of which continued to operate as normal, giving not a hint of their "zombie" status.
The DDoS attack by way of IOT devices doesn't entirely come as a surprise (
the US Department of Justice last month announced that it is joining other government agencies in assessing IoT technology for possible security risks), but the scale of the attack and its target were a bit of a shock.
"This sort of attack is deeply different than the headline-grabbing DDoS attacks of years past," wrote
William Turton of Gizmodo. "In 2011, hacker collective Anonymous rose to fame with DDoS attacks that pale in comparison to today’s attack on Dyn. Instead of taking out an individual website for short periods of time, hackers were able to take down a major piece of the internet backbone for an entire morning — not once but twice. That’s huge."
Friday's DDoS attack has started a much needed conversation about what exactly should be turned into an IoT device (do we really need internet-connected baby bottles?) and has once again brought into sharp relief the lack of robust security built into these products as well as the networks they sit on. As exciting as this near-futuristic evolution of connectivity has been, its time to take stock of not only where exactly we are heading with this technology, but also how we can stay safe both physically and in cyberspace.
To quell some of the doubts about what is considered the new frontier for both residential and commercial systems integration, CEDIA's Technology Council
yesterday issued a set of guidelines for all levels of IoT usage, including consumer, manufacturer, and integrator approaches to enjoying IoT's rapid development while staying protected. In a blog post, the association offered these three considerations:
â—™ For manufacturers, the challenge is to build product that does not sacrifice security for convenience. The ability to allow installation professionals to enter secure passwords, close unnecessary ports and, most critically, enable IP connected devices to be securely updated when their software has been compromised is essential.
â—™ For consumers, there are inherent vulnerabilities to having devices always connected to the internet. Hiring a professional to design, install, and maintain all products being used in a connected environment is a step in the right direction to helping secure both the internet and the building the products are being used in. Consumers should review the credentials of anyone installing internet connected devices in their building: This individual should hold professional certification(s) that prove their baseline knowledge.
â—™ For technology professionals, it is critical to work with IoT/network device suppliers that take security seriously, and vet them to ensure they are implementing strong security practices. Technology professionals should educate clients on the risks/rewards of network-enabled devices.
"The internet of things is truly in the nascent stages of development, and so some will argue that these security issues are just growing pains and manufacturers and consumers will soon catch up," CEDIA wrote. "While it is true that we are at the beginning of the internet of things and the fourth industrial revolution, failing to address these issues now will stymie both adoption rates and innovation. This attack is a clear wake-up call. The time is now to take internet and device security seriously and face it head on for a more prosperous and secure future."
Llanor Alleyne is Editor of HiddenWires.