Latest DDoS attack exposes significant security vulnerability associated with some IoT devices

One of the great things about this job is that I often get the opportunity to see technologies and how they can be used to help improve efficiencies in myriad ways, from database queries and remote monitoring to video-surveillance equipment and the Internet of Things (IoT), which includes everything from sensor technologies to drones and robots.

It is amazing what engineers and other innovators continue to develop. What began as simple conveniences—remote controls for TVs and garage doors—has matured into access technologies that allow untethered access to the Internet and the ability to use robots/drones to execute dangerous tasks without putting a human in harm’s way.

But these capabilities are not simply a one-way panacea, as there are tradeoffs. In addition to the moral and social implications, the reality is that any technology developed can be used for negative purposes as well as to benefit society.

For example, in an IP-based, all-connected scenario, employees do not have to be tied to a given physical location to monitor the status of an asset half a world away; they can monitor—and often fix, if necessary—that asset from a remote location. But this convenience also means that nefarious characters also can wreak havoc, if they can gain access to the right network.

In some cases, inappropriate access can result in data breaches, malware or ransomware attacks that have become all too common, from every type of enterprise to very high levels of government. In other cases, inappropriate access can be leveraged to execute distributed denial of services (DDoS) attacks, which amount to a digital equivalent of radio-frequency (RF) jamming that can render an otherwise robust network useless.

That is what happened last Friday, when a massive DDoS attack caused Internet outages and brought many of the most popular web sites—for instance, Twitter, Netflix, PayPal, CNN and the New York Times—to their knees. Perhaps even more disconcerting than the outages themselves are reports of how the attacks were perpetratrated: a malware program known as Mirai infected a host of security-challenged Internet-connected assets—from DVRs, surveillance cameras and other devices—that bombarded servers at Dyn DNS Company, which specializes in online infrastructure.

Now, the fact that many Internet of Things (IoT) devices tend to have little or no security included in them is no secret, so the theoretical possibility of such an attack has been discussed for some time. But Friday’s attack was not theoretical; it was very real.

Given this, the episode should serve as a huge wakeup call to the IoT industry and to enterprises—including public safety—that cybersecurity is an area that is in dire need of greater focus. As IoT use cases develop and more entities seek to leverage the considerable functionality that this burgeoning industry can provide, low-security devices cannot be connected haphazardly to critical networks that must function effectively at all times.

Of course, no one wants to burden the IoT arena with so many security requirements that devices become too expensive and complicated to be deployed. Is there a happy medium that provides both security and simplicity? It is a challenge that faces FirstNet with its much-anticipated network, and one that the entire technology community should establish as a top priority.