Just about everything has the potential to be Internet connected these days. Your watch, your car, your refrigerator, your house, the list is endless. This also goes far beyond the things we’re used to connecting to the Internet such as computers, phones, and cameras. The term Internet of Things, or IoT, has been coined over the last several years to explain many of these new, Internet connected devices.
While there’s a certain cool factor to being able to text your refrigerator, there is also a darker side. Many of these devices are more than likely running outdated firmware, which may have security holes. While many are used to updating their computers and phones with security patches, many are not yet thinking about applying security fixes to their refrigerators and thermostats.
On October 21, 2016, Dyn experienced a massive Distributed Denial of Service (DDoS) attack, which impacted many, many popular Internet services, such as Twitter and Spotify, as well as many other websites. While the attack originated on the East Coast of the United States, it spread as the day went on. The attack was on Dyn’s DNS platform, which as we know (and now see even more clearly) provides DNS resolutions services for much of the Internet.
Attacks such as these are becoming more and more comment, as the IoT grows and more devices come online and remain unmatched. In September, there was another large scale attack, this time against Internet hosting company OVH.
Recently, the United States Department of Homeland Security released their first ever publication on Securing the Internet of Things, in order to bring awareness to these issues and provide guidance.
The publication consists of two parts, an Internet of Things Fact Sheet, as well as the Strategic Principles for Securing the Internet of Things guidelines. Both of these are a great resource for anyone involved with IoT devices.
There are certainly many benefits to our society becoming more connected than ever. However, as we’ve learned with some of these recent DDoS attacks, there are many risks. The new guidelines stress awareness of these risks, and incorporation of security into the early phases of projects, such as the design and discovery phase.
The adoption of the IoT requires collaboration across many groups. The guidelines call for security awareness from everyone from developers who are writing the code which powers the IoT to the consumers of the devices. The IoT consumers are one of the more critical groups who must begin to see their devices differently. Traditionally, one does not look at their refrigerator as something that can lead to a security risk, people are more concerned with it carrying out its primary function.
These secondary functions of devices will take some getting used to. While many brag that the devices are easy to set up, they just need to be plugged in and are ready to go, there isn’t much concern about what happens to them after that. One way to combat this is for developers to ensure these devices have the ability to be updated automatically. While the may still require interaction from consumers, it isn’t difficult to hit the OK button you your refrigerator as you open it. Consumers may also be more likely to apply patches to their devices if the security patches are bundled with new features or functionality, or fix known issues they have encountered.
The new new guidelines on securing the IoT is a step in the right direction. With the rapid advancement of technology, it is easy to get caught up in all of the latest gadgets and their functionality. It is time to rethink the processes around securing these devices. After all, who knows what will happen when the refrigerator starts talking with the thermostat.