In the last 30 days, I participated to 2 CIO conferences (Montreal and San Francisco) and interestingly heard similar questions from executives about the security risks and dangers of Internet of things devices. Are they really that dangerous?
When I talk about Software as a Service, most readers think of the Google computer cloud, Amazon Web Services or Microsoft's Azure cloud platform. What never gets mentioned is the new breed of Attack as a Service providers. As competition in this space heats up, purveyors of these types of "fine" (said sarcastically) services are looking for ways to reduce the price to win customers. Yes, free market economic is alive and well in the dark underbelly of the internet.
An October 2014 (link) report by Akamai (one of the internet's largest Content Delivery Networks and provider of Website attack protection services) said that they saw a significant increase in the number of UPnP devices being used in amplification attacks.
The Open Resolver Project has collected a list of 28 million internet connected devices that can be used for amplification attacks (link).
Remember that not so long ago (Christmas Eve and Christmas Day), a group known as the Lizard Squad "took down" the Playstation and XBOX online services through a DDOS attack using thousands of compromised home internet routers.
As companies rush to cash in on the connect-everything-to-the-internet craze, many are cutting corners on security in order to rush products to market or save money on development costs. These are the same companies that don't update their products when major flaws are discovered in the open source tools they use, which means known vulnerabilities sit waiting to be exploited for the life of that device.
Clearly we have a problem with IoT devices already connected to the internet, and eventually it will have to be fixed somehow or we will see bigger and more devastating DDoS attacks. I'm not sure how these will get fixed but it may come down to government regulation (which I hate to even think about).
Going forward, I am hoping the larger players with be able to sway device manufacturers to adopt a more security conscious approach. Apple is working on HomeKit and Google bought Nest and Dropcam. Maybe if these larger players use security as a differentiator, it may push other manufacturers in the right direction.
The OWASP (link) Internet of Things Top Ten Project is a great start and the site defines its purpose as:
As a security expert, I have very limited IoT technologies in my house. Not because of a lack of desire but out of concern for security. Be careful of what you buy and how you use it. Make sure IoT devices are on a separate network, so that a compromise of those devices won't give an attacker a foothold in your home's internal network.
Ask yourself :
This is a market that will explode in the coming years. We will see IoT embedded in everything from our toaster to our pants. Our shoes will provide step counters, our fridge will say how much we ate and the bathroom will illustrate how much time you lost in there reading a magazine.
Everything we do will watch, measure and report on us. Let's try to make sure all this incredible data isn't used for nefarious purposes. As a consumer, demand secure devices from manufacturers. Vote with your dollars. Email company support departments asking for updates and better protection. It's in all of our hands to make security a priority for these companies.