Friday’s distributed denial-of-service attack on domain name service provider Dyn may have seemed like the end of the world for millions of Netflix, Twitter and Spotify users, but security professionals say the service disruption was merely a nuisance attack – although an eye opening one – compared to the potential damage that can be unleashed by billions of unsecure IoT devices.
“It’s really just the tip of the iceberg,” says Nicholas Evans, vice president and general manager within the Office of the CTO at Unisys, where he leads its worldwide applied innovation program. “You can grade the threat intensity as the IoT devices become more autonomous, like self-driving cars, or more controllable, like some of factory-type devices that actually manipulate the physical environment. That’s where the real threat is.”
Some 20.8 billion things could be connected to the internet by 2020, according to research firm Gartner. That’s about 5.5 million devices added every day, fueled by more affordable and ubiquitous sensors, processing power and bandwidth. Also by 2020, more than half of major new business processes and systems will incorporate some element of the IoT, according to Gartner.
Friday’s attack brought glaring attention to the potential danger of having billions of devices connected to the internet with little or no cybersecurity protections. The DDoS attack used malware called Mirai to infect tens of millions of internet-connected devices found in businesses and homes to disrupt service at many popular sites.
I’m critical of the IoT vendors who are rushing their products out there, because there is an IoT gold rush.
Gigamon security consultant Justin Harvey
Gigamon security consultant Justin Harvey blames the device manufacturers for the Dyn DDoS attack, but he also acknowledges that most ISPs could do a better job with security.
“I’m critical of the IoT vendors who are rushing their products out there, because there is an IoT gold rush,” Harvey says. Cheap IoT devices have become even easier to produce as hardware manufacturers develop inexpensive devices that run Linux and can perform many home monitoring functions such as controlling a thermostat. Those vendors “are focused more on rushing to market and not with security. [As a result] they’re shipping an insecure product with absolutely no oversight or consequences if and when it goes bad. Their view is that it’s up to the customer to secure those machines or change passwords.”
Indeed, one of the main problems compounding the situation is that security is often an afterthought, usually bolted onto solutions once issues arise, Evans says. IT security experts and IT managers have been calling for security to be built into device designs for decades, just as they had in the past for a long line of technology innovations ranging from the Web, to mobility and cloud computing, and now IoT.
Sign up for Computerworld eNewsletters.