Weaponizing the IoT: Is It a Nuke, or a Pop Gun?
In the year ahead, the IoT could cause significant – but preventable – distress for businesses and individuals. As the IoT worms its way into households and industries, the 46-billion-unit question is, who’s minding the store? Is this a year of living dangerously or will users finally take charge?
The defining trend for 2017 may well be the weaponization of the IoT. Indeed, 2017 looms as a pivotal time for peril from the seemingly benign things we own and, in some cases, love. A smart city or a smart TV can be terrific. But there are now legions of unwitting connected-device accomplices around the world. Think about it: you now need a firewall to protect your smart fridge. Is the local loop protecting others before an attack hits, or even capable of doing so?
The Insecurity of Things
Meanwhile, the cash registers are ringing. Juniper Research’s December 2016 forecast estimates that the number of connected IoT devices, sensors and actuators will exceed 46 billion by 2021 – a 200 percent increase from 2016.
As Cyberscoop’s Greg Otto mused about this year’s Consumer Electronics Show, “While the tech-hungry hordes were kicking the tires on [the] 50 billion gizmos, the number of people at CES who worried about the security of those devices and the IoT at large was probably closer to 50.” Or as Healthcare IT News observed, “as the IoT takes hold, another phenomenon may also simultaneously occur: the Insecurity of Things.” The challenge, says Accenture’s John Curran, is that “consumers won’t universally trust IoT-connected devices until the ongoing security issues around them are resolved.”
Enlisting in the Botnet Army
While Americans stocked up on consumer electronics goodies during the holiday shopping derby, for users of Twitter, Netflix, Airbnb, Amazon, and Reddit – among other major online destinations – October 21 was a different kind of black Friday. A massive DDoS attack took those sites down, thanks to an attack against DNS provider Dyn. In the aftermath that followed, it was easy to miss the implications of this precedent-shattering occurrence.
Massive volumetric attacks are as troubling as they are new. They are too powerful for any single firewall — especially when the breach comes from an army of connected devices. As the number of connected devices across the earth explodes, a Terminator-like “rise of the machines” becomes a possibility. Virtually every intelligent device, from a connected 8k TV to a rain controller to an industrial video camera to a smart thermostat, can be enlisted in a DDoS army.
Right now, IoT devices can become weapons pointed against third parties or against themselves. This isn’t what anyone signed up for. The fact is, no one treats their home network as they would a corporate network, but that’s in fact what home networks have become. Home automation is poised for exponential growth, but it’s unclear to what extent it is a threat or a promise.
It is definitely at least partly a threat. According to a 2017 forecast by cybersecurity provider Trend Micro: “The Internet of Things will play a larger role in targeted attacks in 2017, capitalizing on the growing acceptance of connected devices by exploiting unsecured systems,” the firm reported.
IoT Security Best Practices, Where Art Thou?
Industry trade organizations CEDIA and CTA are busy at work on best practice guidelines while looking for anyone with a substantive background willing to participate in their research, according to Residential Systems. That’s at once encouraging and grim. It's hard to make the IoT more secure without manufacturers first identifying and implementing best practices protocols.
The feds are watching, but that’s about it for right now: the Department of Homeland Security and the Department of Commerce recently outlined a set of principles intended to guide their respective IoT initiatives, but addressed issues like availability, access, standards, and technology development – not security.
New Attacks, New Defenses
As bad as the state of IoT security is, users won’t find themselves entirely defenseless in 2017. Perhaps not surprisingly, some companies are seeing potential profit in protecting the precious data that connected devices collect, as Brick House Security has noted.
In the year ahead, I expect volumetric attack protection technology to go mainstream. This technology represents a new approach for real-time DDoS mitigation using automatic analysis of DDoS alerts. It also can deploy routing commands to assure that appropriate steps are taken to thwart legitimate DDoS attacks, all without the need to have a human involved. Volumetric attack protection is not a panacea, but it reflects a necessary mindset and promises to be a promising solution.