The recent distributed denial of service (DDoS) attacks on a leading IP address look-up service—which in turn impacted many of their clients (including some of the world’s best known companies and media outlets)—were made all the more powerful because tens of millions of devices were hijacked to participate in the attack, many from unsecured or hacked Internet of Things (IoT) devices.
Scary to think that your DVR player, webcam, thermostat, toaster, car—anything you own that is connected to the Internet —may be hijacked to launch massive attacks against the commercial, security, energy, defense, or other vital sectors of our society.
This attack and other recent ones like it remind us of two things: first, the need for increased attention to security in this increasingly IoT world; and second, that the security gaps hiding in most IoT devices are not easily patched. We’re also reminded that there are many technical, legal, privacy-related, and other issues involved in trying to “make the Internet safe.”
Manufacturers of everything from cars to baby monitors often rush to provide functionality dependent on Internet connectivity, since that is what end users demand, but that often comes at the cost of adequate security protections for these hackable devices. Many IoT devices are also shipped without the ability to receive updates from the manufacturer, or with hardcoded passwords that can’t be changed. This greatly impacts vulnerability: as consumers, we need to start paying attention to these details when adding IoT devices to our networks.
The implications of such recent attacks are frightening—but what might await us further down the road? We are entering an era in which our devices are increasingly part of intelligent systems that share data to adapt and improve. For example, speech recognition and other “artificial intelligence” services improve as we talk to our voice-assisted devices (Siri®, Amazon’s Echo®, etc.) As AI-enabled machines and applications become more prevalent—and more like extensions of ourselves—how will they be impacted by corrupted data from attacked IoT devices? Paying attention to security now could help us prevent an even scarier future where attackers teach our AI devices to do things we never intended.
For both current and future risks, vendors are wise to “build security in,” and consumers can help by paying attention to security when making purchasing decisions. Manufacturers facing liability issues stemming from unsecured products are well advised to design security into their products from the get-go. This means (among other things) rigorous and independent verification and validation (IV&V) testing of software and firmware; hardening that code against as many known and unknown vulnerabilities as possible; providing secure default configurations; making code easily and securely updateable; and ensuring that the software’s development and supply chains are fully protected.
Siri is a trademark of Apple Inc. Amazon Echo is a trademark of Amazon Technologies Inc.