On 20 September 2016, a form of malware, named ‘Mirai’, was used to launch a massive distributed denial of service (DDoS) attack on specialist security website KrebsOnSecurity. A month later, on 21 October, large amounts of traffic were directed to Dyn, a key Domain Name Server provider in North America that manages web addresses and traffic for companies such as Spotify, Netflix and Twitter. This caused outages for many sites. At least part of the botnet, which was used to attack the Dyn facility, was a network of Mirai infected devices. In the case of the Krebs attack, the devices were sending around 620Gbps of traffic to the website, while the Dyn attack topped out at over 1Tbps. These are the two largest DDoS events ever seen.

IoT increases the availability of devices for attacks

The Krebs and Dyn attacks were important for two reasons: The amount of traffic that was directed and the devices used to direct it. Mirai uses a code that scans the internet, looking for connected devices with basic usernames and passwords. These devices were hacked and then used as a botnet (network of interconnected, infected devices) to direct large amounts of traffic to the sites. In early October, the source code for Mirai was released online, showing which devices the malware had used to launch the Krebs attack. These included CCTV cameras, printers and TV receivers. Other DDoS attacks have used smaller networks of servers and/or routers to attack a target, as with the most recent attack on Deutsche Telekom’s broadband network, which used a modified version of the Mirai code. However, the use of a much larger and wider set of unrelated, connected devices amplifies the levels of traffic that can be directed, potentially enough to affect a much larger service.

Standard consumer devices such as computers and mobile phones come with at least some basic level of security as standard, making them more difficult to infect with simple code such as Mirai. The ‘Internet of Things’ has changed that. In the development stage of stand-alone connected devices, cost, usability and ease of set-up have often been prioritized over the integrity of the device. Equally, with networked devices, such as sensors in Industrial IoT environments, both end-point and network security have been neglected, as siloed product development by vendors has made integration with security more complex.

Some vendors have concentrated on forming bi-lateral OEM partnerships to develop products or help fill gaps in their IoT portfolios. Splunk is an example of a common partner for hardware manufacturers, where it provides analytics platforms for IoT solutions packages. Some multi-lateral groups have formed, such as the Industrial Internet Consortium (IIC), a loose association of private companies (including GE, IBM and Huawei) and Industrie 4.0, conceived and sponsored by the public sector in Germany. These groups focus on bringing vendors and developers together to propose best practices and open-standard protocols in key IoT technologies such as wireless connectivity, network management and communication platforms.

However, a desire to maintain intellectual property is still stifling advances in security. Cisco, potentially one of the key members of the Consortium, has decided to take a step back from its work there, believing instead that it is in a stronger position to capture revenue with its own IP than sharing its knowledge with others to strengthen the conversation around security. And there is a much larger problem in the consumer space.

The proliferation of cheap, white-label, stand-alone connected devices, such as those used in the Krebs and Dyn attacks, has set security back, thereby exposing basic flaws such as standard root or admin usernames and passwords embedded into a device’s firmware; this meaning there is no way of preventing even simplified forms of malware exploiting a device’s connectivity. Krebs and Dyn are just a snapshot of what is currently possible for hackers. In response, the European Council has proposed regulatory measures, which may benefit channel partners and end-customers alike, but much of the responsibility lies with manufacturers. They must take security more seriously as there is only so much governments or security specialist channel partners can do in this area.

How can public sector regulation help to solve the problem?

On 8 October, The European Commission announced it was looking at different forms of regulation for connected devices, which could take the form of a certification standard for all future devices sold in the European Union. It is not clear whether this would result in a ban on devices of a lower security standard or if it would involve a simpler labelling system. While it is important that regulators and legislators take a greater interest in the growth of the security threat landscape (particularly where consumer and commercial devices may become a threat to national security), public bodies can be slow to act. Equally, some leaders may not see IoT security as a priority when they are battling populism and disillusionment with the EU from their own people.

For channel partners, specialized security knowledge may now become a greater selling point for IoT, especially if these partners are building relationships with vendors that are investing in developing devices with much stronger security. If the strength and size of attacks continue, they will draw further attention through headlines, just as security became a greater concern for end-customers following high profile hacks such as the Talk-Talk and LinkedIn ones and the announcement of the EU GDPR.

End-user lack of knowledge of security and risk is a consistent threat. Consequently, end-user education is a mantra for security vendors, be it in devices for commercial or consumer consumption. However, in the channel, professional services such as consulting on security behavior have not been in high enough demand to properly manage the growth of data breaches and hacks. It may be that only the threat of personal loss or legal sanctions can drive greater security awareness. Action must be taken by all players in the supply chain if the growth of IoT is not to be significantly hindered by the security challenge.

Receiving updates

Receive our latest PRs on emerging, enterprise and mobile tech delivered straight to your inbox.