A series of cyberattacks that made headlines last month for both their massive size and fast execution were both stunning and completely predictable.
In a new spin on a classic distributed denial of service (DDoS) attack, the attackers used “an army of hijacked security cameras and video recorders” to flood their targets with so much network traffic that it knocked them offline. As many as a million security cameras, video recorders and other infected devices were used in the assault, according to the Wall Street Journal, which also noted the attacks were “prompting fresh concern about the vulnerability of millions of ‘smart’ devices in homes and businesses connected to the Internet.” This concern is well founded.
As the Internet of Things (IoT) expands (Gartner says there will be more than 20 billion connected devices by 2020), so do the number of devices that can conceivably be “weaponized” by hackers. The sheer scale of the September attacks caught even seasoned experts off guard, but few were shocked that hackers used the increasing ubiquity of connected devices to amplify their attacks. And these attacks were just a harbinger of what’s to come. That’s not being alarmist, that’s just the reality of our increasingly connected world. But that doesn’t mean we need to passively accept these kinds of assaults as a price for the myriad new capabilities and insights the IoT offers. We just have to make sure security gets “baked in” before the IoT gets much larger than it already is. And Equinix and our ability to deliver CIA (not that CIA) can also help make the IoT more secure. More on that later.
Last month’s cyberattack was one of the largest to date, according to the content delivery network Akamai. And Akamai should know, since it was in charge of defending investigative journalist Brian Krebs’ site, Krebs on Security, which was a target of one these DDoS assaults. Engineers at Akamai told Krebs that the assault was distinct from another massive attack this year because it was launched by a botnet of hacked devices. The other attack is thought to have been generated by a botnet of compromised systems. (A botnet is a “robot network” of private computers, and increasingly IoT devices, infected with malicious software and surreptitiously controlled by hackers).
The prospect of our devices turning on us isn’t new in the movies (remember Skynet?), but that doesn’t mean it’s welcome in reality. With the aid of anti-malware software and automated security updates, we already invest a lot of time protecting our phones, laptops and other computing devices from malicious software. However, the thought of fortifying everything from refrigerators to heart pacemakers is a bit foreign. But the recent attack demonstrates the reality that our connected devices can be used against us en masse, an unsettling prospect just when everything from our most mundane to our most indispensable possessions are hooking up to the Internet. So what can we do?
Security Must be the Top Priority in IoT Product Development
In the aftermath of September’s attack, maybe it seems like a no-brainer to say that the IoT industry should put security first in the design of every IoT-enabled device. But so far, that’s not happening. Think of the range of things getting connected, everything from kitchen cutting boards, to smoke alarms, to meat smokers. Internet security is likely not top of mind for the typical cutting board maker, for instance. In fact, it might seem too superfluous, time-consuming and costly to worry about. But we are learning that attackers will use any connected device to launch attacks. The business case for fortifying connected devices with the best possible security becomes easier to make when companies realize the incredible damage that can be done to their businesses and reputations if their devices are used as vehicles of attack.
Security Guidance Is Out There
The Cloud Security Alliance (CSA) has published some excellent security guidance for the IoT. (As it happens, I was one of the editors for an industry-first IoT security white paper by CSA.) Here are some basic steps that should be taken to secure any device in the IoT ecosystem:
- Product interfaces should be secured by basic authentication, integrity protection and encryption techniques, especially for devices that can wreak physical damage if hijacked, such as the thermostats that control your furnace.
- This fundamental step is often neglected, and there’s a price. For instance, Brian Krebs noted many of the username and password pairs in the botnet source code used in last month’s attack were default configuration settings for dozens of common products. If users had set their own strong passwords, the attack wouldn’t have been as widespread.
- A secure firmware/software update process should be adopted.
- Regular, safe software updates and bug fixes need to be as common with connected devices as they are with personal computers and smartphones.
- The security of any IoT product should be independently verified by a trusted party.
- A commitment to consistent security mindfulness must be made.
- Nobody is immune from this problem. According to one report, even 30% of IT professionals do not change the default administrator password on their wireless router.
Cross-Industry Alliances Are Critical
As we consider steps that need to be taken and commitments that must be made, there is a fundamental need for IoT-related alliances, such as that provided by the CSA. Such alliances must facilitate the development of open standards, APIs and reference implementations to promote extremely easy adoption by any IoT vendor. Otherwise, vendors may introduce their own proprietary and non-interoperable security features – or worse yet, not implement any at all. Bigger money entities need to step up and take the lead in creating these standards.
Interconnection and Ecosystems Put You Ahead
Equinix’s global interconnection platform, Platform Equinix™, is another way to help secure the IoT. To understand how, it is helpful to view it through the lens of the “CIA Triad,” which, by the way, does not involve government spies. In this context, CIA stands for Confidentiality, Integrity and Availability.
To promote confidentiality and integrity, Platform Equinix leverages an Interconnection Oriented Architecture™ (IOA) that puts end user IoT devices as close as possible to IoT and security services, bypassing much of the public Internet. And for availability, Equinix has more than 145 data centers in 40 global markets, which we operate with >99.99999% uptime. In addition, we have a growing ecosystem of managed security providers, such as Deloitte, which have developed global, cloud-based security management services based on Platform Equinix.
The bottom line is that while last month’s attacks have rightfully raised concerns about what an increasingly prevalent IoT means for the future of data security, there’s no need for the good guys to go into this battle unprotected. But everyone’s eyes must be wide open about the challenges ahead. And they need to know how much strategic interconnection can help.
Get a guidebook on how to build an IOA and help make the IoT as secure as possible by downloading the IOA Playbook.