Tech industry is moving at a blazingly fast pace, and it is unstoppable. Device and service ubiquity is permeating in almost any device which can be connected to any network. Devices such as home monitor systems, refrigerators, smart sensors, smart speakers, smart alarm clocks, thermostats, smart locks, smart cameras, multicolor smart wifi, virtual reality headsets, wifi thermostats, talkies, video doorbells, smart button controllers, touchscreen universal remotes, wireless routers, programmable dash buttons, Nespresso coffee machines, indoor connected night lights, voice controlled speakers, indoor air quality monitors, connected coolers, intelligent ovens, dimmer switches, smartwatches, smart vent systems, smart smoke alarms, smart herb gardens, portable fish finders, smart blood pressure monitors, fitness trackers, pet trackers, and so on ……………………… are all the candidates which are part of the IoT. All of these are vulnerable to DDoS attacks or they can be used to launch a DDoS attack.
When we sell these devices to consumers, most of them lack basic security features. E.g. some of the devices have passwords which were set once, and they are already there, or they are so easy that a simple dictionary brute force can easily get them. The encryption is very poor or down to none. There is no mechanism to check for viruses, worms, bad code injection etc. There are two aspects involved here, one being preventing DDoS attack to occur against devices, and the other being preventing devices to participate in a DDoS attack. Let me cover the second aspect.
As more and more devices get connected to Internet and among each other through other networks, need for having more security get increased. This sets a high bar for security, as these devices were not made with security in mind. New devices that are coming on market now are adhering to some security standards, but there are already a lot of devices which are out there in the wild. The other aspect which sets the bar so high is the lack of knowledge and training of people who operate old or even new devices. There is no common nomenclature or sorts which can be used as a built in feature in any device so as to enable operator to adhere to security standards. Gartner reported that 63 percent of Internet of Things devices in 2017 were consumer devices. This is a huge percentage, and given the lack of security controls available to end consumers, it becomes a bigger concern as Internet penetrates further. I believe this number will increase and industry will not catch up as quickly as the rate of acquisition of insecure devices.
Kaspersky and other security vendors show that malwares in such IoT devices has been at least doubling year over year since 2013. If this carries on up till 2020 then there would be huge chunk of at least 20 Billion devices which will be affected.
I think many of us remember that popular sitcom called “silicon valley” showed a use-case of refrigerators to enable distributed and coordinated data storage. Imagine if this distribution and coordination is enabled by malware itself. We are already seeing IoT botnets, but situation might get worse due to lack of controls.
Many people think that it is not possible to install anti-virus software on IoT devices, but I believe we can. Anti-virus and anti-malware binaries can be built on top of minimal kernel e.g. it can done in 5MB linux system. And in regards to the virus or worm databases, then they can be distributed in natured. The device capabilities are increasing so we need further research and testing in this area.
IoT devices use variety of last mile connectivity access mechanisms e.g. Bluetooth, zigbee, wifi etc which are already using very limited security mechanism. This issue has been there for quite some time. But there is a light at the end of the tunnel. We need to make sure that the end device itself is smart enough to take care of the deficiencies in access technologies. Another issue is lack of patching. We can do software updates on mobile devices but we can’t do on IoT devices atleast as easily as mobile devices. I think it is all about priorities but that can be achieved at least using existing patch/updates mechanisms.
We hope things are going to get better but it seems like momentum is in the opposite direction. One step forward and two steps back.