Machina Research, has published a new Research Note discussing the role of the IoT as an enabler of massive-scale DDoS attacks, and makes proposals to mitigate the related risks in the future.
The recent Distributed-Denial-of-Service (DDoS) attacks enabled by malware-infected IP cameras, DVRs and other embedded devices have caused fresh concerns about the future of IoT security. What is particularly problematic about the attacks is the fact that it is not the suppliers of compromised products or their customers that must deal with the direct consequences, but various other parties affected by them. On one hand, the incidents highlight the insufficient incentives that developers involved in consumer IoT often have when it comes to security of their products and applications. On the other hand, they also demonstrate that IoT security is a matter of public interest, and even of national security.
In light of the incidents, Machina Research has six takeaways about the situation:
- The Mirai malware has not been a technology problem, but a process and policy problem. There is, technology-wise, nothing that would fundamentally prevent IoT developers from securing their devices appropriately. Hardcoding a generic term such as “admin” as the product’s default password (if that is what has indeed happened with certain Mirai-affected devices) is deeply irresponsible, but the good news is that it is also entirely avoidable.
- Mirai is a problem of consumer IoT, and not a problem of enterprise IoT. IoT security is a hugely diverse space of very different application requirements, and what we have seen now involves the inherently less secure end of it. In enterprise IoT, suppliers that fail to meet certain security standards generally also fail to win business. In consumer IoT, the same business incentive is lacking.
- What makes DDoS a particularly complicated security issue is the fact that the customers of hacked devices do not typically face their full consequences. The backlash to the affected device makers ultimately remains to be seen, but the chances are that it will not be serious enough to make a difference amongst the B2C makers of today and tomorrow.
- There is a strong case to address security standards in consumer IoT through regulation and certification. If some device manufacturers do not have an incentive to take security seriously, and if it is the other companies and their customers that must face the consequences, then the industry is clearly dealing with a moral hazard and a market failure. The “smart” aspect of smart devices should be brought under the same frameworks that vet products for their overall safety, such as CE and UL.
- There should be an effort to make the Internet as a whole more resilient to IoT-driven DDoS attacks. Vendors that supply backbone infrastructure for Internet services should start shoring up their contingency plans. Similarly, their customers must also invest in their own fallback strategies.
- Governments should assess their options to mitigate the cyber risks stemming from out-of-date “zombie” devices. Over time there will be countless IoT devices that are operational, but whose firmware and software are no longer being updated. There is no realistic way to mandate any company to manage devices over their entire lifecycle, but one possibility is a special “IoT tax” that is imposed on certain device categories. These would then be used to support an ISP-led scheme to analyse traffic and sunset identified rogue devices. The end-users would acknowledge the risk of this happening, and waive their relevant rights, when purchasing these devices.
Principal analyst and author of the report, Aapo Markkanen, concludes:
‘There is no one single silver bullet to mitigate the long-term DDoS threat that the growth in IoT devices poses to the Internet-based economy, and the response must be a mix of different remedies. Companies with anything at stake in the IoT need to come together and find the right avenues to advocate better developer practices. Given that there is a strong public, and national-security, interest in the issue, it would be wise for the industry to move proactively and come up with concrete proposals that will help set the right incentives for developers.’