A cascading string of distributed denial-of-service (DDoS) attacks — which took down parts of hundreds of sites including Twitter, Netflix, Spotify, Airbnb, Reddit and The New York Times — has highlighted new vulnerabilities and the lack of security in the rapidly growing internet of things industry. These attacks have demonstrated record-breaking volumes that are overwhelming website defenses, and industry sources say this growth over the last year is being driven by hundreds of thousands of internet-connected devices hackers are adding to their botnets.
With 21 billion devices expected to be connected to the internet by 2020, there is a critical need to ramp up the security of “things.” To do this, we need to embed security into IoT devices and ensure that security requirements are included in the design of IoT ecosystems.
The vulnerability exploited in these DDoS attacks is just one of the many potential threats prompting this recommendation. To move IoT security forward, the industry needs to look at how communications with IoT devices are authenticated, how access is controlled, how data is protected, how IoT devices are managed during their lifecycle and how the IoT device may impact other systems.
While there is no silver bullet and effective security must have many levels, for those systems that impact life safety or the functioning of critical infrastructure, the addition of embedded security, which can be implemented using secure chip technology, is a necessity. This is the same technology currently being used in GSM mobile devices, payment chip cards, secure identity tokens and e-passports. Applying these techniques can deliver crucial security mechanisms for authenticating and authorizing access to, and protecting data being generated by or delivered to the billions of connected IoT devices.
Every IoT device serves as a potential entry point to a broader IoT ecosystem. These devices can become part of wider botnets, where many different devices — all connected to each other, all network-enabled — can bombard targets with crippling volumes of data, making it harder to detect and respond to DDoS attacks. If successful, these types of attacks can negatively impact businesses through unnecessary service disruption causing consumer frustration, loss of business productivity and profit, and exposed security vulnerabilities.
Embedded security can establish the identity of each device, ensure that access to the device is only allowed to authenticated and authorized entities, and protect the data being generated or delivered to the device. These are fundamental requirements to prevent unauthorized tampering with how these devices are designed to work, and to protect the privacy and security of the vast amount of data the devices generate.
Noted security researcher and author Brian Krebs recently put out a call-to-action, asking industry associations to start addressing IoT security issues. His own popular cybersecurity website, KrebsonSecurity.com, was an early victim of the recent spate of record DDoS attacks.
The Smart Card Alliance recently formed its Internet of Things Security Council, which addresses this initiative and provides a single forum where all industry stakeholders can discuss applications and security approaches, develop best practices and advocate for the use of standards for IoT security implementations. The council welcomes participation from organizations involved in the many IoT ecosystems to participate in these efforts, as well as to network and share implementation experiences. More information about the council is available here.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.