The Cybersecurity Race to Secure the Internet of Things


Last week's wave of worldwide DDoS (Distributed Denial of Service) attacks through the use of unsecured Internet of Things (IoT) devices is both disturbing and revealing.  Disrupting prime-time access to e-commerce and social media sites has some near-term implications, but also signaled the launch of an arms race between bad actors and the White Hat community – with the future of the IoT clearly between them.  In the long run, the White Hats will win, but the question is how long it will take them.

Sites affected by the Marai malware-based attack on service provider Dyn included AirBnB, Amazon, CNN, GitHub, Netflix, Reddit, Spotify, and Twitter.  The attacks were the largest to date, with a previous attack a few weeks prior launched against the Krebs on Security website delivering a record-setting 620 Gbps DDoS attack against a single target.

If you want a root cause for last week's botnet attacks launched against a major Internet DNS (Domain Name Service) provider, akin to the phone directory mapping IP addresses to websites, it's haste and greed.  Manufacturers in a hurry to crank out Web cameras, DVRs, and various other IoT devices ignored basic security measures in the rush to put their devices into the market place.  Default and/or easy-to-guess passwords and an inability to distribute security fixes are at the heart of the ability for bad actors to find and exploit unsecured IoT devices.

Chinese manufacturer Hangzhou Xiongmai Technologies has admitted its products were used in the latest attacks, with its IP cameras and DVRs running older versions of its firmware still vulnerable.  The company recommends its customers update firmware and change default user names and passwords – assuming they have the devices and know how to run the updates. There has also been talk about Hangzhou doing a recall of devices, but this may be challenging as the company has OEMed its tech as well.

We've seen this all before in the Wi-Fi world, making the current wave of unsecured devices not just a learning experience, but benign neglect at best, intentional and willful disregard for the consequences at worst.   The Wi-Fi world evolved over the years, adding new layers of security encryption and getting rid of default passwords and logins, with other security features turned on by default after complaints by the community.

Now the IoT community is forced to play catch-up, with vendors having to validate their approach and implementation to security. For those who have been slackers, it's a matter of rushing out patches and rolling in best practices in current and future products. Expect a lot of service providers and the 5G world that have bet heavily on IoT to retool messaging and offers to emphasize security.

For the security community, the DNS DDoS IoT attacks represent the latest intellectual challenge.  One proposed countermeasure under discussion would be to preemptively "bot" – takeover – unsecured and vulnerable IoT devices to prevent them from being used in a mass attack.  How legal and ethical such a tactic is is another story – a 21st century "fight fire with fire" –  but it goes to show what measures some are willing to consider in order to keep the Internet going.

Other counters to the current IoT security problem are filtering within local networks to prevent local devices from communicating and being compromised by an external party and upstream filtering at the service provider level to prevent compromised devices from flooding servers on another network.  Down the road we may see a sort of session border controller (SBC) for IoT traffic or some additional software tricks added to deep packet inspection (DPI) to thwart bots controllers from amassing large numbers of devices.  ISPs may also start virtually "disconnecting" compromised devices if they can't be upgraded or fixed, simply refusing to move traffic from them in the most extreme case.

Certainly this won't be the last "It crashed the Internet" moment (Google "Morris Worm" to find out the OG moment). Once this is fixed, there will be other threats in the ongoing arms race between bad actors looking to make a couple of quick bucks and security experts that get paid to keep social media up and ecommerce sites going.

Edited by Alicia Young
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

Contributing Editor

Related Articles

Why Block Websites? Understanding the Reasons

By: Contributing Writer    5/6/2024

The internet is such an expansive network where every click can lead to information, entertainment, or opportunities for productivity. However, this a…

Read More

ChatGPT Isn't Really AI: Here's Why

By: Contributing Writer    4/17/2024

ChatGPT is the biggest talking point in the world of AI, but is it actually artificial intelligence? Click here to find out the truth behind ChatGPT.

Read More

Revolutionizing Home Energy Management: The Partnership of Hub Controls and Four Square/TRE

By: Reece Loftus    4/16/2024

Through a recently announced partnership with manufacturer Four Square/TRE, Hub Controls is set to redefine the landscape of home energy management in…

Read More

4 Benefits of Time Tracking Software for Small Businesses

By: Contributing Writer    4/16/2024

Time tracking is invaluable for every business's success. It ensures teams and time are well managed. While you can do manual time tracking, it's time…

Read More

How the Terraform Registry Helps DevOps Teams Increase Efficiency

By: Contributing Writer    4/16/2024

A key component to HashiCorp's Terraform infrastructure-as-code (IaC) ecosystem, the Terraform Registry made it to the news in late 2023 when changes …

Read More