Just two weeks ago, a zombie army made up of about 100,000 home security cameras and other IoT devices brought several of the world’s most popular websites grinding to a halt for several hours – preventing millions of people from shopping online, enjoying music and accessing social media.
And while the two attacks were turned back that day, the much bigger problem is that it can happen again – particularly with so many IoT devices coming online every day.
Hackers took control of the household devices with a malware called Mirai and ordered their robot minions running Linux to direct huge amounts of bogus internet traffic at Dyn, a corporation that is a major provider of Domain Name System services to other companies. Essentially, the sheer volume of the traffic caused the servers to crash – a distributed denial-of-service (DDoS) attack.
After it realized what had happened, Dyn was able to fend off the attacks that took place everywhere from America to Australia. The FBI and Department of Homeland Security are still assessing the aftermath.
But everyone already knows one thing. The devices in the Oct. 21 attack were highjacked because they were smart enough to provide a gateway to the internet, but either too dumb to distinguish between friend and foe or not provided with secure passwords. They generally were powered with lower-end microprocessors or did not have software with good protocols and passwords to prevent the security breach.
Security can be a matter of simple economics: It costs more to produce an IoT device with a robust firewall than a cheaper unit that can be easily hacked. Higher end microprocessors may cost $2 to $5 more per unit and the cost of embedded programming and circuit design has to be spread over the life and volume of manufacturing. All of that adds up to a higher price tag on store or online shelves.
We help customers on a weekly basis to decide on the power of processors, design of circuits and embedded programming in a cost-benefit analysis as we design and prototype their electronic products. Security remains a key consideration that we emphasize with all our customers. But it’s not necessarily an easy decision.
A casual observer may think it’s obvious to “pay extra for better security,” but will a $5 difference in the product price cause shoppers to choose a competitor’s dumber and less secure model? Do consumers really see the value of security? Do consumers even know how to assess whether a product is more secure? There isn’t a standardized rating system as we have with car safety.
Security professionals have been anticipating the Oct. 21 attack. Software that crawls the internet to find unsecured devices is freely available, and hackers released the Mirai software weeks before the event. While companies like Dyn can defend and react, the only real way to protect against such future onslaughts is to enhance the security for IoT devices that connect to the internet.