Chapter 15 – The Day of Reckoning

“Need a favor, neighbor. Our dryer is acting up. Can we come over and use yours…” John was still talking when the news alert popped up on the screen of my cell: WORLD’S LARGEST ECOMMERCE SITE GRINDS TO A HALT ON THE BUSIEST DAY OF ONLINE SHOPPING…

* * *

In my last blog post I shared some of the general security challenges that come with the Internet of Things (IoT). In this post, I will focus on one particular security risk: distributed denial of service (DDoS) attacks.

Even before the age of IoT, DDoS attacks have been turning multitudes of computers into botnets, attacking a single target and causing denial of services for the target’s users. By “multitudes” we can be talking about thousands or even millions of victim devices. Now add IoT into the equation and we could be looking at billions of devices pressed into attack! The scale and the damage would be unprecedented and massive. Such attacks could bring some of the largest systems down (in my little piece of fiction above, an Amazon-like company). If it sounds like science fiction, it won’t be for long. What will it take for DDoS attacks that use IoT devices to cross that line from fiction to reality and how we can prevent such disaster from happening?

DDoS Attacks – Growing and Evolving with IoT

DDoS attacks are getting worse: as reported by Akamai¹, the number of DDoS attacks in Q1 2015 have more than doubled the same period last year. That’s hardly a surprise as the most common software architecture, and its vulnerability, has remained unchanged for many years: the client-server model. Connected on the same network, clients (such as company computers) initiate a service request and servers (the company servers) provide the service. A company computer may request data or a software update, and the company’s servers will provide the requested resource or service in response. If malware takes over, for instance, the compromised machines become a “zombie army.” Since many company computers are always connected to the company’s network, they can turn against the company’s servers and initiate a DDoS attack.

The Akamai report calls out one important IoT-related issue: Simple Service Discovery Protocol (SSDP) attacks. SSDP are network protocols that bypass server-based configuration mechanisms and enable devices on the same network to discover and communicate with one another. They are intended for use with simple devices at home or in smaller offices—an important enabler scaling and making IoT readily available to the masses. SSDP attacks in Q1 2015 made up more than 20% of the attack vectors—something that wasn’t even tracked a year ago. So that little wireless activities tracker you wear on your wrist (Fitbit, Apple Watch, and many others) which you love as it syncs up your health data on your cell phone and your company tablet? With a little bit of malware, it can turn into the zombie device that you fear: it can attack any server without your noticing until it’s too late!

While the SSDP attacks reported have not turned fridges, coffee machines, microwaves, or dryers in our homes into zombie armies yet, their growth provides a great opportunity for abuse.

What You Can Do To Put off the day of reckoning

Let’s face it: DDoS attacks will only get worse with IoT opening up even more opportunities for attacks. Without any breakthrough in security measures, players in the IoT ecosystem have to consciously and meticulously put some hard work (in fact a LOT of it!) into fighting this DDoS war.

1. Network engineers and administrators of large networks: Redefine your security strategy.

• Understand the complexity: With IoT, we are no longer talking about the operating systems of smart phones or tablets. Instead, we are looking at a quickly and ever-expanding list of “things” from clothing to watches to drones to cameras to sensors—the sky is the limit! These devices are made by different manufacturers, often operate on different protocols and connection methodologies, and have their own vulnerabilities. There is no single firewall—or a single solution—that will keep all things in IoT secure. There is not even a common management model for these devices. That’s a paradigm shift for many network administrators.
• Separate the networks: Mitigate risks by putting IoT and company-issued IT devices on separate networks. So if one network is compromised, the other—with the company’s most sensitive data—can stay intact.
• Actively monitor: You need to be able to understand your network traffic and detect intrusions quickly. Since attacks are almost “expected” these days, your ability to identify problems in real time is one of your strongest security strategies. However, IoT devices are unannounced and are provided access to secured corporate devices by the end-user without corporate technologies teams’ knowledge or consent. These represent significant new intrusion points for those with malicious intent and you need to actively monitor/look out for such intrusions.
• Exert influence early on in the decision-making process: IoT is happening and the benefits are phenomenal. Your organization’s leadership team will WANT to capitalize on the new business opportunities IoT brings along. You need to become and be known internally as an IoT expert, so management will want your opinion and guidance on IoT-related strategies. You don’t want to be in a position where you have to implement an IoT plan full of security holes, or worse, one that has insufficient consideration for security.

2. Software designers: Put security in the forefront of your design process

• Take IoT security seriously: IoT devices are typically the weakest link when it comes to a network’s security. The household electronics in my Sci-Fi opening are unlikely to support cryptology or other complex device architecture. They are the perfect botnet hosts and when they attack, their attacks will come from legitimate networks making it even harder for their target to detect. I believe the same security mechanisms built into expensive, high-performing computers should be extended to inexpensive, simple IoT devices.
• Approach IoT security creatively: When it comes to incorporating DDoS defensive mechanisms into IoT design and architecture, think out-of-the-box—literally! Today, many IoT devices don’t even have the ability to receive firmware or software updates. For those that do, users typically have to allow such updates. In the future, however, this will likely evolve into automatic updates. Now that’s a double-edged sword: there are security risks involved with auto-updates obviously, but manufacturers can also push patches automatically. Security can become an out-of-the-box solution then.

My Sci-Fi story is still being written, as is the story of IoT. Let’s work together and give it a happy ending.

¹ Akamai State of the Internet [Security] Report, May 2015