An increase in recent attacks and dramatic growth in the strength of DDoS (distributed denial-of-service) attacks has highlighted new vulnerabilities and the lack of security in the rapidly growing Internet of Things (IoT) industry.
With an estimated 21 billion devices expected to be connected to the internet by 2020, there is a critical need to ramp up the security of “things.” To do this, the Smart Card Alliance advocates for the addition of embedded security in IoT devices.
The vulnerability exploited in these DDoS attacks is just one of the many potential threats prompting the Smart Card Alliance recommendation to ensure that security requirements are included in the design of IoT ecosystems. This includes how communications with IoT devices are authenticated, how access is controlled, how data is protected, how IoT devices are managed during their lifecycle, and how the IoT device may impact other systems.
The Smart Card Alliance consists of over 200 members worldwide, including participants from financial, government, enterprise, transportation, mobile telecommunications, healthcare, and retail industries. A mix of issuers and adopters of smart card technology work in concert with leading industry suppliers of the full range of products and services supporting the implementation of smart-card based systems for secure payments, identification, access, and mobile communications.
The main goals of the Alliance are to influence standards that are relevant to smart card adoption and implementation; maintain a voice in public policy that affects smart card adoption and implementation; serve as an educational resource to its members and the industry; and provide a forum for cutting edge discussions and projects on issues surrounding smart cards.
While there is no silver bullet and effective security must have many levels, for those systems that impact life safety or the functioning of critical infrastructure, the Smart Card Alliance believes the addition of embedded security, which can be implemented using secure chip technology, is a necessity.
This is the same technology currently being used in GSM mobile devices, payment chip cards, secure identity tokens and e-passports. Applying these techniques can deliver crucial security mechanisms for authenticating and authorizing access to, and protecting data being generated by or delivered to the billions of connected IoT devices.
A cascading string of DDoS attacks—most recently taking down parts of hundreds of sites including Twitter, Netflix, Spotify, Airbnb, Reddit and The New York Times—has demonstrated record-breaking volumes that are overwhelming website defenses. The four-fold growth in attack size over the last year is being driven by hundreds of thousands of internet-connected devices hackers are adding to their botnets, according to industry sources.
According to the Smart Card Alliance, every IoT device serves as a potential entry point to a broader IoT ecosystem. These devices can become part of wider botnets, where many different devices – all connected to each other, all network-enabled – can bombard targets with crippling volumes of data, making it harder to detect and respond to DDoS attacks.
If successful, these types of attacks can negatively impact businesses through unnecessary service disruption causing consumer frustration, loss of business productivity and profit, and exposed security vulnerabilities.
“These recent attacks, one of which was more than four times the size of the largest reported attack last year, are comparable to the massive payments data breaches that have been in the spotlight over the past few years,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “This is just the latest example of the IoT vulnerabilities that exist today, demonstrating why the security of things is so critical. To protect connected devices and their data, the IoT industry needs the attention, coordination and commitment to security that the payments industry is putting into securing payments.”
Embedded security can establish the “identity” of each device, ensure that access to the device is only allowed to authenticated and authorized entities, and protect the data being generated or delivered to the device. These are fundamental requirements to prevent unauthorized tampering with how these devices are designed to work, and to protect the privacy and security of the vast amount of data the devices generate.
The Smart Card Alliance formed its Internet of Things Security Council to provide a single forum where all industry stakeholders can discuss applications and security approaches, develop best practices and advocate for the use of standards for IoT security implementations. The council welcomes participation from organizations involved in the many IoT ecosystems to participate in these efforts, as well as to network and share implementation experiences.