IoT Security Is A Mess That Will Take An Age To Fix

Image: Shutterstock

Barely a month since Brian Krebs’ website was temporarily knocked offline by an — at the time — historically large Distributed Denial of Service (DDoS) attack another, even larger, DDoS attack has caused havoc with websites all day.

This latest attack has targeted DNS provider Dyn. Sites including Twitter, Spotify, and Reddit were reportedly suffering due to the attack on Dyn. The source of the attack appears to be similar to that of the one that attacked Krebs: millions of poorly secured Internet of Things devices, such as security cameras and Digital Video Recorders.

The ease with which hackers can exploit security vulnerabilities in these cheap and plentiful devices to enslave them into million-strong zombie armies is disturbing. It threatens the reliability of the Internet upon which millions of people have come to depend.

This isn’t a new issue. Exploiting vulnerabilities in the Internet’s mechanisms was known about at least as far back as 2005. There have been flaws in Philips’ lightbulbs, Google’s Nest, and basically everything else, according to HP back in 2015.

Paul Vixie, one of the Internet’s founding fathers, issued warnings about it back in 2012 while the DNS Changer botnet raged. Since then, botnets and DDoS attacks have become orders of magnitude larger and more destructive. The flood of new Internet connected devices only increases each year, as the hype train gathers speed and those with dreams of striking it rich join in with this latest gold rush.

The problem is extremely difficult to solve, and at its heart is an economic conundrum.

The security flaws are in the software, rather than a simpler material or design flaw in a purely hardware product. New issues can be discovered years after the original product was created. Manufacturers stop supporting older devices, and don’t release new software for them, because why should they? Security is challenging to do well, which increases the cost. Consumers demand new features and lower prices, and to be slower and more expensive (though more secure) means death for the company that attempts it.