A cascading string of distributed denial-of-service (DDoS) attacks—most recently taking down parts of hundreds of sites including Twitter, Netflix, Spotify, Airbnb, Reddit and The New York Times—has demonstrated record-breaking volumes that are overwhelming website defenses. The four-fold growth in attack size over the last year is being driven by hundreds of thousands of internet-connected devices hackers are adding to their botnets, according to industry sources.
The attacks and dramatic growth in the strength of DDoS attacks highlight new vulnerabilities and the lack of security in the rapidly growing Internet of Things (IoT) industry.
With an estimated 21 billion devices expected to be connected to the internet by 2020, there is a critical need to ramp up the security of “things.” To do this, the Smart Card Alliance advocates for the addition of embedded security in IoT devices.
The vulnerability exploited in these DDoS attacks is just one of the many potential threats prompting the Smart Card Alliance recommendation to ensure that security requirements are included in the design of IoT ecosystems. This includes how communications with IoT devices are authenticated, how access is controlled, how data is protected, how IoT devices are managed during their lifecycle, and how the IoT device may impact other systems. While there is no silver bullet and effective security must have many levels, for those systems that impact life safety or the functioning of critical infrastructure, the Smart Card Alliance believes the addition of embedded security, which can be implemented using secure chip technology, is a necessity. This is the same technology currently being used in GSM mobile devices, payment chip cards, secure identity tokens and e-passports. Applying these techniques can deliver crucial security mechanisms for authenticating and authorizing access to, and protecting data being generated by or delivered to the billions of connected IoT devices.
According to the Smart Card Alliance, every IoT device serves as a potential entry point to a broader IoT ecosystem. These devices can become part of wider botnets, where many different devices – all connected to each other, all network-enabled – can bombard targets with crippling volumes of data, making it harder to detect and respond to DDoS attacks. If successful, these types of attacks can negatively impact businesses through unnecessary service disruption causing consumer frustration, loss of business productivity and profit, and exposed security vulnerabilities.
“These recent attacks, one of which was more than four times the size of the largest reported attack last year, are comparable to the massive payments data breaches that have been in the spotlight over the past few years,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “This is just the latest example of the IoT vulnerabilities that exist today, demonstrating why the security of things is so critical. To protect connected devices and their data, the IoT industry needs the attention, coordination and commitment to security that the payments industry is putting into securing payments.”
Embedded security can establish the “identity” of each device, ensure that access to the device is only allowed to authenticated and authorized entities, and protect the data being generated or delivered to the device. These are fundamental requirements to prevent unauthorized tampering with how these devices are designed to work, and to protect the privacy and security of the vast amount of data the devices generate.
The Smart Card Alliance formed its Internet of Things Security Council to provide a single forum where all industry stakeholders can discuss applications and security approaches, develop best practices and advocate for the use of standards for IoT security implementations. The council welcomes participation from organizations involved in the many IoT ecosystems to participate in these efforts, as well as to network and share implementation experiences. More information about the council is available at http://www.smartcardalliance.org/activities-councils-internet-of-things-security/.
The Council initiative addresses in part the call from noted security researcher and author Brian Krebs for industry associations to start addressing IoT security issues. His own popular cybersecurity website, “Krebs on Security,” was an early victim of the recent spate of record DDoS attacks.
These topics and more were the focus of the Smart Card Alliance’s October Security of Things 2016 conference, held in Chicago. For a recap of the event, visit http://iotsecurityconnection.com/posts/security-of-things-2016-recap.