Late last year, the Internet was disrupted by a wave of attacks that knocked prominent sites offline, affecting hundreds of millions of people around the world. The victims included users of Amazon, PayPal, The New York Times, government websites, GitHub, Twitter, Netflix, Xbox Live, and more than 70 other major sites.
The outages were not caused by a direct assault on those sites, but on their Domain Name System (DNS) provider, Dyn, Inc. This was a distributed denial of service (DDOS) attack, a flood of unwanted data from thousands of locations worldwide, which overloaded connections to Dyn's servers. This prevented users in the US and Europe from reaching Dyn’s customers because browsers and mobile apps could not locate the sites.
The DDOS was traced to a surprising source: Baby monitors, security cameras, and home routers—tens of thousands of them, in homes and offices around the world. These Internet of Things (IoT) devices had all been infected with the Mirai malware and organized into a coordinated botnet, controlled by an unknown attacker. The IoT devices could be easily hijacked because passwords had been left set to factory defaults, or they had unpatched flaws in their firmware.
In another recent botnet DDOS attack, families in the Finnish city of Lappeenranta suffered a particularly chilly week, when Internet-connected pumps that provide central heating and hot water in their homes were disabled for several days by a Mirai infection. Those IoT devices were apparently collateral damage, not the target of the assault; they were commandeered to DDOS foreign websites, but the intensity of the attack caused them to crash, and shut down heating systems, as snow fell and temperatures plummeted below zero.
Security has long been a concern for the IoT industry. As connected devices are embedded ever deeper into our everyday lives and the machines that run our world, this empowers attackers to cause physical harm. Consider the danger of a malicious hacker seizing control of a coolant pump at a power station, or a set of traffic signals, or a surveillance drone—or the oven in your kitchen.
However, the recent DDOS attacks are shining a new spotlight on IoT security. That’s because the insecure IoT devices were not the target. They were the weapon.
The attackers weren't hacking those baby monitors to wake up sleeping kids, or using networked cameras to spy on homes. Instead, they just used those IoT gadgets to attack targets thousands of miles away, via the Internet.
It’s ironic: The very features that make the IoT attractive are the same features that attract hackers to weaponize IoT devices. The IoT concept calls for billions of smart, connected devices, but this also makes them ideal soldiers in a bot army for DDOS attacks, spam relays, and other nefarious purposes. The IoT concept also calls for low cost devices. But robust security costs money, as do software updates to handle new threats. A Hewlett Packard report published last year warned of serious security vulnerabilities in 70 percent of popular IoT devices.
Finally, the IoT concept is perfect for automation of single-purpose devices, including security cameras, routers, and network storage. A key attraction of those devices is they can be left switched on and unattended for months, perhaps gathering dust on a shelf. Unfortunately, this also makes them all too attractive to hackers, who are assured of months of uninterrupted access.
So, that’s the bad news: The nascent IoT is filled with alarmingly vulnerable products that have been rushed out with little consideration for security issues. The good news is that we already have battle-tested defense solutions, both hardware and software, that can harden IoT devices to protect them against the vast majority of threats.
However, there is a challenge for developers who want to make their IoT project secure. IoT devices are usually based around low-power (in all senses of the phrase) CPUs, but the complex math behind encryption algorithms demands power; otherwise, they would be vulnerable to brute force attacks. So, developers have a choice: Use a more powerful general purpose CPU and implement security in software, or offload tough math to dedicated hardware.
For example, there's the Microchip AWS Zero Touch Secure Provisioning Kit, based on the Atmel AT88SA10HS encryption chip. This is a complete evaluation platform that provides comprehensive plug and play authentication for those who are looking to base their IoT product around Amazon Web Services (AWS).
Hardware security modules like these are an attractive solution to drop into new projects and quickly get up to speed with IoT security. But for those of us with potentially-vulnerable IoT devices already in the field, or in our own homes (or our baby monitors, even), what can we do to bolster security?
Start with the simplest tasks: Updating firmware to the newest version and setting strong passwords. If possible, disable all non-essential ports and services on the devices. You might also check device settings, such as internal firewall and routing configuration, for unusual entries which could indicate the device has already been hacked.
Next, research online to find out whether your IoT devices suffer from unpatched bugs that are being exploited in the wild. If there's no firmware upgrade to fix those faults, then the only option may be to replace vulnerable devices. If replacement is difficult and the threat is very well understood, then putting devices behind a properly-configured firewall could be an alternative.
In extreme cases, vital, but insecure devices can be “walled off” from the public internet and only receive data via a secure intermediary server—though this is a costly, last-ditch solution for IoT applications.
Part of Mouser's EMEA team in Europe, Mark joined Mouser Electronics in July 2014 having previously held senior marketing roles at RS Components. Prior to RS, Mark spent 8 years at Texas Instruments in Applications Support and Technical Sales roles and holds a first class Honours Degree in Electronic Engineering from Coventry University.