Risks and Safeguards in the IoT Security Landscape

by Michael Lynch

The Internet of Things is a rapidly growing ecosystem with a continually expanding variety of devices connecting to it. Assisted speakers, baby monitors, thermostats, wearables, and outdoor cameras are just a few of the these IoT devices.

According to a Juniper Research study, the number of connected IoT devices are expected to reach over 46 billion in 2021.

As the IoT landscape has evolved, we’ve seen a new risk emerge: IoT-based DDoS attacks. For example, Russian banks and a U.S. college were involved in DDoS attacks that in part leveraged IOT devices.

But perhaps the most well-known attack is the one that brought down a significant portion of the internet in North America in October 2016. This was a deliberate increase in internet traffic leveraging baby monitors and cameras. The traffic overloaded Dyn and Amazon Web Services and also as a consequence impacted Twitter, PayPal and Netflix.

The attack was carried out using a malware called Mirai which easily weaponized DVRs and cameras, among other devices, using the default usernames and passwords that were shipped with these devices. Attacks using Mirai, which seems to have been leveraged multiple times, exposed the weakness of IOT.

Cybersecurity attacks leveraging the IoT will not just be limited to DDOS attacks. According to the same Juniper Research study, “IoT DDoS (distributed denial-of-service) ‘botnet’ attacks have become infamous in 2016, although in the medium-term, personal data theft, corporate data theft and physical asset damage will be the primary goals for IoT hackers.”

IoT is a broad and ever evolving landscape with an unlimited number of manufacturers and types of devices. And that leaves a tremendous range in the level of security for such devices. Unlike smartphones, IoT devices run on numerous different operating systems. With the right security in place, smartphones can be used to transact, pay, and share other information. But the security has matured and has been specialized for these operating systems. IoT is a new world and a far more diverse ecosystem with an unlimited number of non-standard device operating systems.

Methods to Protect the IoT

Techniques to identify the connectivity point for a device, the device type, and if it has been previously identified will help cybersecurity professionals prevent access from devices or IP’s that are causing harmful traffic. IoT device identification and risk analysis include intelligence using traffic patterns, geolocation data, proxy and IP data, and other device characteristics. It is critical to identify the source of the threat and differentiate it from other traffic in order to stop affected machines by blacklisting IP’s or devices themselves and contain the damage. If the device or IP can be determined specifically, that provides the opportunity to stop the velocity of one or many similar devices continually accessing a network. And if there is no business reason for a baby camera, DVR or thermostat to connect to say, a banking platform, then obviously that type of traffic, if identified, should quickly be stopped.

If a single or a few dominant operating systems would emerge as was the case with smartphones, there would be the option of utilizing applications on the device itself. If there is an ability to create standard operating systems which interact with the endpoint, then there would be the potential to more uniquely identify that device based on its attributes. To use a parallel example, the security for mobile applications is much more powerful because you can identify a returning device and make certain risk assessments about that device. This is beneficial in the case of a DDoS attack, because you know which devices are secure, and are higher risk. However, for this to become pervasive, manufacturers in the industry will have to invest in using such operating systems.

For example, IoT devices such as certain wearables, particularly those on the major OS such as WatchOS, for the Apple Watch, and Android Wear OS, will in the long run be easier to secure. Apple has made continual patches and releases which include critical security updates for the WatchOS. And with Amazon’s Alexa, Apple’s Siri, and Samsung’s Viv potentially all attempting to dominate the voice IoT market, there is hope that IoT shifts towards standardization of a small number of operating systems by major manufactures that have the resources to invest in securing their devices.

Eventually there will be better methods to secure IoT and likely a standardization of operating systems and best practices for securing them, as consumer demand will drive security executives and manufacturing executives to invest to protect their brand. However, as the market stands today, there are risks which hopefully are forcing the industry to accelerate the process of securing the Internet of Things.

Michael Lynch is the Chief Strategy Officer at InAuth.



IoT Innovator Newsletter

Get the latest updates and industry news in your inbox! Enter your email address and name below to be the first to know.