Mirai - How a Botnet Made IoT a Security Reality

Following the news of the 1Tbps DDoS attack on DNS provider Dyn last week, which was apparently enabled using the power of IoT devices, the buzzword is well and truly back in the headlines.

Much of the conversation and media coverage that I witnessed afterwards discussed the concept of IoT; and how the computing power of routers, TVs, thermostats and kitchen appliances was harnessed to enable such a severe denial of service on some of the internet’s most popular applications and websites.

I’ve been hearing about IoT for a number of years, and it was not until 2013 that I understood what the concept was about, and sometime after that the term defined as the concept of connected devices became more of a reality.

Since then, it has become one of the main talking points of current IT security from a data access perspective, and the new entity connecting into your network. Now if the DDoS has taught us anything, it is that collectively these devices are fairly powerful and that users do not change the default configurations and access to them.  

The solution to this problem lies in three main options as I see it: launch awareness campaigns encouraging people to update their security settings; build the devices with security built in from the outset so multiple and widespread access to them is not as possible; or introduce some sort of regulation that ensures that IoT devices are secure.

Amusingly, the latter seems to be the most likely. Cryptography legend and Resilient CTO Bruce Schneier said in an article that “Governments need to play a larger role: setting standards, policing compliance, and implementing solutions across companies and networks”, and that “Security engineers are working on technologies that can mitigate much of this risk, but many solutions won't be deployed without government involvement.”

Research released this week by Gemalto found that the UK is experiencing a demand for IoT related skills, with cybersecurity vacancies in particular showing an increase of 73% over the last 12 months, and a rise of 43% of companies looking for people who can build security architecture, and demand for security engineers rising by 9%. The median salary for a data manager also grew by 7%.

Nicolas Chalvin, vice-president of IoT Solutions and Services at Gemalto, called the growth in demand for IoT “encouraging”, as it shows that organizations appreciate the need to secure the data that they collect.

He said: “Growth in smart cities is building interest in IoT but in order to get ahead, companies need to be looking for a range of skills, not just one, to set them apart from their competitors. As a result, we’re starting to see new roles such as IoT Architect and IoT Engineer being introduced to the market as companies look for the best way to tap into the IoT market.

“As more IoT projects go live, keeping these secure is vital to ensuring consumer confidence in their usage, protecting confidential data and making them a success.”

On 6 December, the difficulties of securing IoT within businesses will be discussed by a panel at Infosecurity Magazine’s conference in Boston, asking “What is the Real Risk for Enterprise Cybersecurity?”

With more and more devices connected to local area and even wide area networks, and now smart grids and physical security systems also being connected for convenience, security is the issue that suffers. In particular, the attack surface increases as products are not being designed with security in mind.

In the panel, the speakers from the worlds of academia, project management and healthcare will look at this issue, how it is affecting businesses and most importantly, how to meet privacy and security standards in a connected world.

Mark James, security specialist at ESET said that one of the biggest problems with IoT is its lack of security, as the race is on to get customers involved with a product.

“The divide between usability and security is hard to get right at the early adoption stage,” he said. “People like ease, sadly the average user will very often choose ease over security and if offered cheaper or safer, will choose cheaper every time.

“IoT device manufacturers have to design security into their products from day one; it has to stop being an afterthought or sadly in some cases no thought. As our digital presence expands we need to accept security is everyone’s responsibility, if we stop buying insecure products and force the manufacturers to make better and safer products things will have to change.”

If we did not consider IoT to be a concern until the start of this month, then the headlines of the reality of connected devices hit us directly where it hurt us, on some of the internet’s most prominent applications. How we deal with this now, recover, repair and prepare in order to make sure it does not happen again is a key challenge for business and IT security.

What’s Hot on Infosecurity Magazine?