IoT under attack

There’s a common joke regarding connected gadgets that the ‘S’ in IoT stands for security. And yes there is no ‘S’. With the propagation of Internet of Things, the number of connected devices is estimated to grow sevenfold the number of owners of those devices. The security of these devices and as a result, the security of the internet ecosystem is proving to be quite challenging. The IoT sector is expected to grow to 20.4 billion devices by 2020, and businesses are expected to spend $134 billion annually by 2022 just on cybersecurity for IoT devices, according to Juniper Research.

Most of the IoT advantage is tied to the sophistication of AI which is still an evolving area. For eg. driverless vehicles can be thrown off-track by graffiti on street signs. And many devices are still being released with security added as an afterthought, if at all, rather than by design.

In late 2016, a Mirai botnet, an open source botnet, called Botnet 14 took an entire country Liberia, in Africa, offline each time. Earlier the same year, another Mirai botnet infected numerous devices, mainly old routers and IP cameras, and then used them to flood DNS provider Dyn with a DDoS attack. It took down Etsy, GitHub, Netflix, Shopify, SoundCloud, Spotify, Twitter and many other such big websites. This attack teaches us a lesson that is a bit more complicated than a simple fix. Many manufacturing companies cut costs by not including enough storage space on their devices to allow for updating the Linux kernel. This leads to a lot of IoT devices that are running kernels with vulnerabilities. It is the responsibility of the manufacturers to enable every device for regularly scheduled kernel updates. Until this issue is resolved, IoT devices will continue to suffer from exploitation.

Anyone who deploys an IoT device needs to take the time and make it a point to change the default user/password combination and constantly be wary of any suspicious network activity. Developers should consider making password change mandatory upon initial deployment of the device. The onus for preventing takedown by IoT is on both the user as well as the device developer.

A critical consideration for security of IoT systems (or any IT environment) should be that the system cannot rely on the constant integrity of every connected device to ensure the ongoing integrity of the whole system. The design and security features of the IoT system ought to assume that individual devices might be compromised (no security is foolproof), but it should still be able to function securely with one or more compromised devices.