Ben Dickson shares his thoughts in this blog which was originally posted here on Tech Talks Blog.
Following last week’s DDoS attack against Dyn, which was carried out through a huge IoT botnet, there’s a general sense of worry about IoT security—or rather insecurity—destabilizing the internet or bringing it to a total collapse.
All sorts of apocalyptic and dystopian scenarios are being spinned out by different writers (including myself) about how IoT security is running out of hand and turning into an uncontrollable problem. There are fears that DDoS attacks will continue to rise in number and magnitude; large portions of internet-connected devices will fall within the control of APT and hacker groups, and they will censor what suits them and bring down sites that are against their interests. The internet will lose its fundamental value. We will recede to the dark ages of pre-internet.
That might be stretching it a bit, but the idea is that at the moment, IoT botnets are one of the biggest threats to internet stability, and there seems to be no stopping their growth because neither manufacturers nor consumers are concerned with IoT security, and as a result millions of new vulnerable devices are plugged into the internet every day, providing botlords with fresh new conscripts for their zombie armies.
But the silver lining in the entire Dyn episode is that it has served as a wakeup call for companies developing IoT solutions. Shortly after the attack, news broke that hacked products belonging to a certain Chinese electronics component manufacturer were the main culprit behind the Mirai botnet that launched the attack.
The company was forced to recall its products in order to patch them or replace them, which is pretty challenging because it develops and sells white-label products, which means many of its customers might not even know they are using its components. And there will always be some residual damage, as it’s virtually impossible to recall all devices, which means some will still roam across the internet with old vulnerabilities remaining.
Aside from the financial damage and the costs incurred from the recall and replacement, the company has suffered a huge blow to its reputation, and will have to try hard to regain the lost trust of its current and future customers.
This will serve as a warning to other companies that are in a hurry to avoid missing their share of a market slated to grow multi-trillion dollars in the next years, and are shipping out products without testing and vetting them for proper security and reliability. They will finally come to realize that it is within their long term interests to include security as part of the development process, rather than approaching it as an afterthought and focusing on the fast shipment of their products.
Many companies don’t even have the in-house expertise and knowhow of dealing with security issues in connected environments. They’ll have to either acquire the talent or outsource their security procedures. But it’s not something they can do without if they wish to survive the trials that await them.
They will also become more wary of the third party components they integrate into their products. As a result, component makers—like the one that was exposed after the Dyn attack—will also have to be more careful about what they’re selling to their customers.
And they’ll have to provision for the day security flaws surface in their products. Many IoT devices don’t have any means for updates and patch installation. In order to avoid the time-consuming and costly process of recalling products, manufacturers will have to embed over-the-air and online updating mechanisms, which will also make it easier for consumers to keep their devices up to date with the latest patches.
The overall result will likely be a slowdown of the IoT gold rush, which is a good thing. Newcomers as well as veterans will have more time to think meticulously on the design of their products and put more energy into securing their devices and preparing them for future developments and changes. Improved resilience and flexibility will be a positive byproduct of the process.
All in all, although the Friday’s attack was painful, it will help mature the IoT industry. From now on, manufacturers will either have to bake-in security into their products, or will have to wait for a security disaster to force them to either go out of business or fix their mess. Any rational mind will choose the former.
So things are not as bad as they seem. This is what I call the self-regulation of the IoT industry. Wonderful, isn’t it?
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of the IoT Security Foundation.
Here at IoTSF our mission is to unite the efforts of diverse IoT stakeholder groups to raise the bar on security. That’s a truly noble and worthwhile cause – and it’s also a mighty tall challenge too. It’s such a huge task, that we can only meet our vision of safety of connection by working with many, and prioritising our efforts. Both industry and market need to adopt the concept of a “chain of trust” which will allow each player to identify trusted suppliers and in turn provide trusted products and services to their customers.
To support the supply chain of trust concept, the IoT Security Foundation has established 5 priority working groups. Each working group has an Executive Steering Board champion and is driven by the efforts of the Foundations’ members.
The initial groups are:
2. Connected Consumer Products
3. Patching Constrained Devices
4. Vulnerability Disclosure Guidelines
5. The IoT Security Landscape
IoTSF invites all parties involved in providing, specifying, supplying and using IoT technologies to collaborate and support its vision of the supply chain of trust.