As more and more Internet of Things (IoT) devices are bought and set up, there is a growing concern for what they can do, in addition to their normal purpose. The security researcher, Brian Krebs, had his website brought down by a Distributed Denial of Service (DDoS) attack. The company who formerly hosted Krebs and his security, Akamai, said that the attack was brought on by hundreds of hacked IoT devices (he has since started using Google’s protective services). This didn’t use reflection or replication attacks, either; it used traditional methods of denial of service, by flooding his site for requests. Akamai says that this is the largest DDoS they have ever seen. This brings me to the question: how can we prevent and/or mitigate these sort of attacks?
This attack was brought on mainly by unsecured, un-maintained IoT devices. More recently, these devices have been manufactured, released, and not updated. The average consumer of these IoT devices know that the features of the device make it such that one can easily control it from afar, often times with one’s mobile phone. What they do not realize is that hackers can also break into these devices and use them, too. Often, the manufacturer will throw in a free OS (such as GNU/Linux), add on their thin, proprietary layer, and sell it. They do not realize the problem they are creating, as exemplified in the attack on Krebs’ website.
It is true that there is a cost to updating and maintaining these devices. Which company wants to have a costly developer staff just to update the software on their line of light bulbs? Then again, which company wants to be known for the product which aided in bringing down Google’s servers? Either way, there’s going to have to be a way for these devices to get updated.
Usually what a user will find on these IoT devices is an embedded OS like GNU/Linux. So why not develop a distribution that utilizes open standards and receives regular update? Similar to Android, yet with stricter guidelines. A company could, for instance, set up a distribution with safety, compatibility, and interoperability in mind. They could work with the IoT device manufacturers in making products that work together, and can be updated regularly. Though let’s not just talk about the manufacturers; the consumer also has a responsibility, too. (It’s worth noting that there is an embedded GNU/Linux distribution that can be easily built and configured for IoT devices.)
The average consumer of IoT devices will have to learn about the extended benefits of these IoT devices, and they must realize that they come with a much greater risk. Indeed, one cannot put a simple toaster in the same category as a light bulb which one can control with a mobile phone. They must be made aware that an attacker can take control of their IoT devices and used for malicious purposes. This doesn’t mean that they need to be scared into acting, though, because actions made in fear are, often times, poor choices. They should be informed that it’s possible for this to occur, and that there are forces in place which are trying to counter these attacks.
Going forward, companies that make IoT devices, and consumers of IoT devices, must be more safety conscious, for there are malicious forces in the world who are ready and able to make use of these devices for their own nefarious purposes.