Late last week, users of Twitter, Netflix, Amazon and other popular sites felt the effects of a major distributed denial of service (DDoS) attack against DNS provider Dyn. While investigations are still ongoing, the blame has largely been attributed to a new botnet of Internet of Things (IoT) devices.
On the surface, it makes sense. But looking deeper, blaming the IoT as a whole may be a bit premature.
The IoT is taking a lot of heat for this, mainly because the origin of most of the botnet traffic seemed to be generated by the new Mirai malware, which does primarily target IoT devices.
However, Mirai shows that most of the affected devices were not what would be categorized as modern IoT devices, but instead products that most consumers already have as part of their home networks, such as internet routers, modems, printers and DVRs. These types of devices are easy access points for attacks, as they have widespread adoption and most consumers don’t think twice about their security.
Mirai works by looking for devices that expose remote control services directly to the public internet. These devices are controlled by connecting directly to them from a phone or computer.
The modern IoT devices most of us have heard of, such as Nest or Hue, work much differently. These devices connect to apps and computers through an intermediary webserver. This emulates the model that modern laptops and smartphones use to connect to the internet and is much more secure. Unfortunately, if a product is connected to the internet, it’s vulnerable to security breaches, regardless of whether it’s part of this new era of IoT devices.
That doesn’t mean the IoT is off the hook. What happened with the DDoS attack should serve as an eye-opener for companies looking to connect their products. Security has become increasingly paramount in our modern, connected landscape, and security breaches continue to reinforce the need for rigorous security assessments at the outset of any IoT project.
If companies can learn one thing from this attack and those before it, it’s this: security shortcuts, like weak authentication, only lead to long-term headaches that can shake consumer confidence and ultimately lead to debilitating consequences for an entire industry.
While last week’s events were alarming, the IoT itself shouldn’t take on the full blame. Although it may not be easy, with the right priorities, tools and processes in place, it is possible to build a vast ecosystem of connected devices and keep them secure.