Securing IoT devices requires manufacturer and customer cooperation
The latest distributed denial-of-service (DDoS) attacks have been huge and widespread as hackers have leveraged Internet of Things (IoT) devices to launch these massive attacks, one of which took down a substantial portion of the U.S. East Coast. It is a mix of open source code, third-party vendors and the race to get to market first which has opened the door to a lack of security. Improvements in IoT security will only happen when the device manufacturers and customers share in the responsibility of reducing risk.
Manufacturer Accountability
Companies building and selling IoT devices could be mandated to comply with several security measures. For example, they could hard-code them to limit communication to either RFC 1918 IP addresses or the manufacturer’s own website. Communication with all other IP addresses or domains on the Internet should not be allowed. The default unique password for each unique device should be comprised of 10 or more random characters, making it extremely difficult to guess. By default, devices could connect to the manufacturer’s website every day to check for security updates which can be pushed down to the device automatically. If communication with the manufacturer’s website is lost, the IoT device could cripple itself and partially stop functioning until a successful connection is made. If laws are put in place, manufacturers failing to comply with these types of security measures could be fined for each non-compliant IoT device. By defining rules, the manufacturers can be held accountable for following clearly defined best practices, removing their ability to blame the customer.
Collecting Customer Information
Manufacturers could also collect limited information from the IoT device after it is setup (e.g. contact name, mobile phone number, email address, etc.). This information could be used to confirm activation of the device and to alert customers should the device stop reaching out to the manufacturer. Manufacturers should not be allowed to take any information from the customer’s network other than information defined with government and customer approval.
Customer Accountability
On the other side of the DDoS enigma, companies who want to better protect themselves from participating in a DDoS attack should make sure that the stateful firewall in front of their IoT devices is not a port forwarding to IoT devices. The firewall should enforce source address validation to ensure that IP addresses aren’t being spoofed. MAC addresses should be entered into the firewall as well to make sure they aren’t modified. This is helpful if the internal security team needs to track down the source of an attack when the IP address has been spoofed. In addition, NetFlow or IPFIX data should be collected and the logs from all DNS lookups should be monitored. This information is useful when engaged in incident response.
Customer DDoS Protection Options
Until the above security measures are put in place, companies who want to protect themselves from being a victim of DDoS attacks can work with a DDoS mitigation service. This can help; however, there is a troubling trend where DDoS attacks are becoming too large for these companies to mitigate. This trend is also driving up the fees for these services, placing them out of reach for most small businesses.
Paying out is cheaper
Nearly 50 percent of respondents in a survey conducted by Neustar said their organizations would lose $100,000 or more per hour if a DDoS attack happened during peak business hours. One-third pegged the number at $250,000 per hour. As a result of these business impacting outages, several of London’s largest banks are allocating budget to stockpile bitcoins for the purpose of paying potential extortion fees from cyber criminals threatening to bring down their critical IT systems with DDoS attacks.
Future of DDoS
DDoS will become much more prolific next year. For example, the release of the Mirai source code used in the KrebsOnSecurity.com DDoS attack has increased the number of IoT infected devices from 213,000 to 493,000 in just two weeks. With Gartner forecasting that the “connected things” market will grow from 6.4 billion devices in 2016 to 20.8 billion by 2020, this will be the driver pushing DDoS to a double-digit growth in 2017.
Another troubling possibility is a world where all devices receive a tiny electronic shipping or UPC label which allows them to be GPS tracked. There is even some discussion of these devices using energy harvesting to stay charged indefinitely. Now imagine what happens to that device when it is eventually thrown away and the label stays charged in a landfill where it could eventually get hacked and become part of a massive botnet.
Ultimately, a collaborative approach including IoT manufacturers and customers is needed to help mitigate the risk of DDoS attacks. Beyond this, service providers should be stepping up to take part in solving this problem as well. Service providers can do this by implementing Best Current Practice 38 (BCP38 put forth by the Internet Engineering Taskforce (IETF). BCP38 basically mandates packets should not be allowed to come from a network that doesn’t originate from the assigned address space. This would have an immediate impact on many DDoS attacks.
About the Author: Michael Patterson, CEO of Plixer worked in technical support and product training at Cabletron Systems while he finished his Masters in Computer Information Systems from Southern New Hampshire University. He joined Professional Services for a year before he left the ‘Tron’ in 1998 to start Somix which eventually became Plixer.