If the old saying that “a man’s home is his castle” is true, then the place where most men keep their valuables secure is the refrigerator. That’s where beer is kept chilled, and also those fat rib steaks you’re tenderizing for barbecuing when you get home from work on Friday. And castle walls being usually thick and high and made of stone, they generally suffice to keep those darn bandits like neighbors from getting at the goodies stored in your refrigerator.
Until now that is. Things may be about to change with the arrival of the Internet of Things (IoT) and the advent of the so-called smart refrigerator, which in my view may be the dumbest thing ever developed. For example, a security company named Pen Test Partners found a vulnerability last summer in one of Samsung’s Internet-connected refrigerators that allowed a malicious user to steal the fridge owner’s Gmail credentials. What could go wrong with that? Maybe the fridge owner is an IT guy who works for a big company and he uses his Gmail account to reset the password on his home computer, and unfortunately he has some sensitive company info stored on his home computer, so … you probably get the picture — suddenly you’ve been responsible for a security breach happening at your workplace.
It’s bad and it’s getting worse
Tech news sites have been virtually flooded this year with reports of bad things happening with regard to IoT devices. Most of the concern at present is that the terrible security (or complete lack of security actually) of most IoT devices has led to the mass harvesting of IoT devices for creating botnets to bring down major commercial websites and other Internet services. For example, a quick search for news about Mirai malware on the popular website Krebs on Security reveals such head-shaking stories as:
- Did the Mirai Botnet Really Take Liberia Offline?
- New Mirai Worm Knocks 900K Germans Offline
- Hacked Cameras, DVRs Powered Today’s Massive Internet Outage
- Source Code for IoT Botnet ‘Mirai’ Released
- Researchers Find Fresh Fodder for IoT Attack Cannons
There are also several articles that presage a coming regulatory battle and legal bullying over the liability issues associated with IoT devices, such as:
- IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers
- Senator Prods Federal Agencies on IoT Mess
Bruce Schneier has also made a good case for governments regulating IoT manufacturers to ensure that the minimum necessary security is built into these “conveniences” if we want to prevent the Internet as a whole from grinding to a halt. After all, if a malicious attack on a DNS provider like Dyn can render major sites like PayPal, Twitter, Pinterest, and Reddit unavailable for almost an entire day, what might a more coordinated attack by a state agent or organized crime syndicate accomplish if they wanted to bring some business or even a country to its knees?
Clearly this problem is going to continue this year and is likely to grow significantly worse before anything happens to make it better. For example, just as I was finishing off writing this article I stumbled across a toy doll called My Friend Cayla that can read stories, play games, and — with the aid of a “smart device” connected to the Internet — engage in conversations with the child playing with it similar to Apple’s Siri or Microsoft’s Cortana. Now what could go wrong with that? Well, say a malicious stranger hacked the smart device that accompanies your child’s doll. The stranger could then make the doll say naughty words to your child or ask it to come outside the back of your house or … see this article in The Mirror, which describes how Pen Test Partners — the same security firm I mentioned earlier — has been able to demonstrate that hacking the doll is quite easy to do. Not that hackable dolls would be a big concern for most businesses, but still — yikes!
What can businesses do?
Until regulation catches up with ongoing innovation, what can a company do to protect any IoT devices it owns from getting caught up in the nets being cast for building botnets? Firewall rules are obviously your first line of defense — you need to configure your router or firewall to allow only legitimate traffic to be transmitted to or received by such devices. You should also create rules that prevent your IoT devices from establishing any outgoing connections to the Internet. And if the devices have any automatic update functionality (which is rare at this point), you should limit connectivity for the device to a specific update server.
A bigger problem for IoT devices, however, is that many of them upload “customer experience” data to a cloud provider. The ostensible reason for doing this is to “improve” the device, but even disregarding the privacy issue the problem is that these may not use HTTPS for uploading such information, which can make such traffic more difficult to identify and firewall. Then there are the devices like smart thermostats that may need to connect to their cloud-based control servers to perform their normal function. So I have to say I agree with Bruce in this regard that regulation is the ultimate answer here as I don’t want to have to spend many hours sniffing packets just to try and discover what firewall rules might help to prevent my climate-control system or security cameras or beer-filled refrigerator from being hijacked to bring down Amazon — and risk getting sued for allowing my IoT device(s) to get hacked in this way.
On the cloud front
On the other side of the coin is what businesses can do to protect themselves from becoming targets of IoT-based DDoS attacks, or at least to mitigate the danger of having their business impacted by such an attack should some malicious entity decide to target them. The good news here is that more and more businesses are moving almost entirely into the cloud, and major cloud hosting companies have begun to realize that their customers will need increased protection from DDoS attacks in the coming days. One such cloud company, the biggest by most measures, is of course Amazon Web Services, and they’ve recently released a new service called AWS Shield that’s designed to provide managed DDoS protection that can safeguard web applications running on AWS.
What’s good about this approach is that the onerous task of mitigating DDoS attacks can be offloaded by business customers to a company like Amazon that obviously has a good interest in carrying that burden for its customers. So instead of having to worry about how you may need to reconfigure your router or firewall to block the latest DDoS attack from beer-crazed fridges, you can let the security experts at Amazon (and they do have some of the best in the business) reconfigure AWS Shield to block the latest wave of attacks.
While Microsoft Azure doesn’t seem to have a similar offering (yet) to AWS Shield, there are some third-party vendors like Incapsula that can help you better safeguard your Azure applications from DDoS attacks. And if you’re using RackSpace for hosting your business services in the cloud, then CloudFlare is an option for better DDoS protection. But kudos to Amazon for offering a built-in DDoS solution for AWS customers — or at least for marketing it as such.