To secure the IoT, consumers must be taught to pressure manufacturers into making devices secure by design, but that education must come from the industry itself.
The rapid growth of the Internet of Things (IoT) and the ever increasing number of cyber attacks seems to go hand in hand. Correlation is not necessarily always causation, but in this case it seems pretty cut and dry.
Consumers are scrambling for the latest low cost gadgets but security is usually the first thing to go when keeping costs down. In order to encourage a more secure environment it’s the consumer who is key to driving demand.
Astronomical numbers of new devices come online each year as connectivity is key, and with 5G on the horizon it’s looking more like a double edged sword, sacrificing our security for speed. According to ABI Research, by 2020 there will be 40.9 billion active wireless connected devices and this will largely be non-hub devices like sensors. IDC forecasts that by 2020 the worldwide market for IoT will surpass $3 trillion.
Unfortunately, the cyberattacks, particularly botnets, have become increasingly capable and ruinous in nature. In 2016 the Mirai botnet managed to utilise 100,000 systems running Linux to initiate the 2016 Dyn cyber attack, the attack caused the internet to become unavailable for large swathes of Europe and North America and shut down the country of Liberia’s internet infrastructure. One of the things that made this botnet so dangerous was how it utilised IoT devices which in the past were traditionally non-digital, such as remote cameras and various sensors around the home.
More than 14,000 domains, 8% of their customer base, ceased operations with Dyn in the wake of the cyber attack, which at its height was capable of generating over 1TB of traffic per second. Is it right that the company suffered due to easily manageable problems? Problems which could have been prevented if home devices were secure by default. Should customers demand more from manufacturers to prevent future incidents? Does the blame ultimately lie with consumers, manufacturers, or domain providers such as Dyn themselves?
When asked about this Raj Samani, EMEA CTO, Intel Security, told CBR: “We are all buying these devices which are vulnerable as anything and next, a company like Dyn lost 14,500 customers and they didn’t do anything wrong. They did not do anything wrong.”
Samani emphasised that companies should be responsible for data breaches, such as the 2015 attack on TalkTalk, which easily bypassed glaring flaws in the Telcos security and stole nearly 157,000 users data. Things of that nature should be stopped by the companies, but botnet attacks are a different beast due to their root causes.
Expanding on this Samani: “Look at the last Telcos that were hit, they were fined $400,000 and they lost a tonne of customers and you go okay that was a secret objective attack that should have been stopped. But now you’re having countries who are being taken out, companies who are losing tens of thousands of customers because as a society we are releasing products that just simply aren’t fit for purpose.”
The Mirai botnet and subsequent Dyn attack are so important because the idea of a 1TB a second DDoS attack had not previously been conceivable, and the idea that previously non-connected devices could be used in this way had not been taken seriously. However, with the increased growth of the IoT should Dyn have been prepared to deal with traffic spikes of this magnitude if the threat was there?
It also makes sense to point fingers at the manufacturers, after all they are the supply of these unsecured IoT devices. Although, unless they’re absolutely forced to implement security then they are very unlikely to raise their own costs to introduce something customers are not demanding. Should Consumers then be blamed? They are the ones who drive the market demand, and they do need to properly understand the reality of what unsecure devices can do, as these devices are putting everyone at risk.
A recent survey from Firefox developer Mozilla found that among 30,000 people from Europe and North America, just 9% believed they knew enough to protect themselves online, 74% said they knew a little but not enough, and 11% said they knew absolutely nothing and needed help.
Samani said: “We’ve always maintained this disposition which is do your due diligence and if you do the right things then the impact is not going to be as significant, right?”
Clearly people are not capable of doing their due diligence as a large section do not know what is required of them when it comes to online security.
These problems are also only likely to increase in future unless adequate action is taken, Samani said: “5G is going to provide more functionality for people to put more connected devices on and that’s great, but are they considering if it’s secure by default? And the answer is usually ‘what does that mean?'”
“I say no, that’s not good enough, it’s not acceptable. We’re providing consumers with a road to be able to do anything they want, and the network to do anything they like when what they’re bringing onto this road is just three-wheelers without any seat belts, airbags, or any consideration about safety. It’s not sensible.”
What this means is that as consumers acquire and install these new devices they are simply not considering the security implications that they carry. An internet connected kettle that is not properly secured, can be easily re-purposed by malicious software, and then made part of a botnet, something which can have dire effects for companies and consumers alike.
Samani, elaborated on this point by telling the story of how his brother bought an internet connected doorbell who, when asked about the device’s security, said he didn’t care.
He added: “I said this is why it’s important, because it’s not just about you. It’s actually the fact that you couldn’t access Spotify that day, that’s because of you. The fact you couldn’t go on Reddit, that was because of you. The fact that your company is having a 1TB DDoS attack is because of you, it’s because of that attitude.”
“You were buying these products and you didn’t really care about security, you only worried about the price. Well actually, here’s why you should be asking these questions ‘is it secure by default’ is what should you be asking.”
Educating the consumer is imperative to solving the security crisis and there are a number of ways to do that. Samani said that consumer must be informed on a more personal level of how their products affect the infrastructure as a whole. It’s one thing to warn them of DDoS and unsecure IoT but these words generally don’t mean anything to the average consumer. If consumers were told an unsecure device could affect their internet access or affected by criminals, they would probably be more likely to take steps.
When asked about how to help rectify these problems Samani said: “We as a society have to articulate the problem in a better way and I don’t think we’ve done that enough. We’ve talked about bits and bytes but for the consumer we’ve got to say here’s why it really matters.”
Intel Security recently ran a test that found an unsecured router, put into standby mode, could be compromised in just sixty seconds. Something which means a public not educated on online security is a very dangerous prospect.
But is the consumer squarely to blame? Ondrej Vlcek previously told CBR: “Is it the consumer? I’m not sure because what’s in it for them? I think this needs to be the responsibility of the industry that surrounds the IoT space, the hardware manufacturers, maybe in cooperation with guys like us.”
“The sad reality though is that these manufacturers are under super heavy pressure on margins and additional investments in better software and security are going against their interests of cutting costs. It’s a pretty difficult problem overall throughout the whole industry that we somehow have to solve.”
In February, Avast published research that found almost 500,000 unsecure smart devices in Barcelona alone, and over 5 million in Spain. Stating that attendees of the annual Mobile World Congress could have easily been watched, recorded, or live streamed directly onto the internet through unsecure IoT devices.
It seems that there is no clear answer on what approach needs to be taken, or even where the responsibility falls. Seeing as how this is an increasingly global issue, the country of Liberia had its entire internet infrastructure taken offline at the hands of Mirai, perhaps a combination of both industry and government led initiatives, as well as increased consumer education is needed.
When asked about the future of cyber security, Samani said it was imperative that security efforts are not outpaced by hackers, as there is no alternative.
“This 5G world is going to be bringing devices which are going to be controlling your medication, it’s going to be driving your family around, it’s going to be cooking your dinner.” he added.
“If they’re not secure by default, well, I don’t know about you, but it’s not a world I want to live in, it’s not a world I even want to think about. We have to do it right.”
A chilling portent.