A couple of years of boundless optimism about the Internet of Things has been tempered by the recent DynDNS attacks. Suddenly thought pieces are proclaiming that the IoT might be set for an early death, with consumers, businesses and facility managers fearful of the potential security risks to their data and environmental controls.
While we should all be more vigilant about the security of our digital data, this sort of prophesying is jumping the gun. Like disasters in other parts of our infrastructure, these attacks ultimately serve as a lesson that should inform the creation and use of IoT devices going forward.
Consumers are a likelier target
When you think of IoT in the home, you think fridges and washing machines. These devices are built to massively varying standards and would be expected to last half a decade or more. Microsoft has ended software support for operating systems used by tens of millions of people after less than a decade. The influx of Smart TVs was an early indicator of this problem. Early adopters will have found that many of the included apps don’t even exist anymore.
This is not to mention the litany of smaller devices that are indulgently being connected to the internet, from the more reasonable – heating and baby monitors – to ‘smart’ toothbrushes and piggy banks. So many models are created with such different specifications that it simply isn’t cost effective for manufacturers to keep them all up-to-date through their entire lifecycle. Combine this with a propensity to leave routers insecure for convenience or through a lack of technical knowledge, and consumers make a far bigger target for access and appropriation than security conscious businesses.
DDoS =/= data breach
The devices in this distributed denial of service attack (DDoS) were hijacked with the intention of harnessing their power to send data, not to access it. These volumetric attacks bombard data with the aim of shutting a website or network down, but this is purely disruptive. With the tools they used to auto-locate and access vulnerable devices across the internet, it would be obstructively difficult to figure out what belonged to who.
With a large enough shield it is possible to deflect even the biggest attacks. Cloudflare is an example of a DNS company which also provides businesses with the capability to ward off attacks of this magnitude. In Layman’s terms, this kind of attack is rarely deployed to steal data, only to soften up a website and stop people from accessing it. The more destructive effects of hacking are generally harder and involve fewer devices, which makes them easier to trace.
You can protect against it
While consumers tend to ignore updates, you definitely shouldn’t. Integrate updates as part of your security strategy, and make sure you only allow internal access to IoT devices. The Internet of Things connected to a BMS can be more like an Intranet of Things, with devices only reporting to an internal hub with its own stronger protection. Increasingly cloud solutions are allowing DNS enabled IoT devices to update themselves, and learn from others across the manufacturers’ network (you may have seen Tesla’s cars doing this to improve their self-driving capabilities).
In this case a large portion of security responsibility is ceded to bigger companies who are better equipped to deal with it. And if someone gains access to one device that doesn’t necessarily mean they can do anything to the wider network, or even do much with that device, depending on what the backend is capable of. Indeed, many of the same tools hackers use can also be wielded against them. Services like Shodan, which allows you to search the web for unprotected IoT devices, also allow you to check your own systems for weaknesses.
AIl developments are improving network security
Deep learning is allowing systems to be reactive and adapt to threats, and means of protecting against these kinds of attacks are improving. Innovative solutions like Netflix’s Chaos Monkey randomly stress-tests their colossal network, while multiple DNS providers allow them to mitigate risk by spreading the damage. And as algorithms and better mobile processors boost the capabilities of smart devices, they will stop simply carrying out orders given to them and reporting in on it and start making more decisions for themselves. This has the potential to bar certain dangerous inputs against human interference, based on their readings of the surrounding environment.
Much of the talk around regulating the dangers of AI is about so-called Guardian AI – machines keeping tabs on machines. This may well be the future of network security; ‘stupid’ networks of sensors with a more intelligent and capable overseer, reacting to attacks in the same way an onboard computer might dodge lasers on a sci-fi spaceship. LiveScience already describes a ‘code jam’ event where a system was breached and patched its own vulnerability in under 15 mins. In a DDoS attack the weight of numbers will always be a difficult barrier, but in more substantive hacks a smart enough system could fight off bigger forces with relative ease.
Attacks will bolster the IoT
Security experts have long warned that the IoT could open up vulnerabilities in networks. Following an attack of this scale, it’s fair to say governments and businesses will be pushing for greater safeguards. Several manufacturers of devices used in the attacks have already owned up and issued updates, encouraging users to install them, including one major manufacturer in China. Given the size of the country, its manufacturing output and the growing demand for consumer goods, this is a vital area for IoT expansion and security. The ability to use botnets should scare China as much as anyone else, as should the ability to compromise networks in a country that values its Great Firewall and the integrity of its national network.
Devices will improve their storage/processing power, utilising stronger security protocols and better checks on access attempts. They will be sent out with unique admin passwords much as many routers are, ensuring that they cannot be ‘bruteforced’ by guessing common phrases. The software side will be given more focus by manufacturers, with attempts to ensure it is user friendly and easy to update. And updates will be pushed more regularly, working in conjunction with security experts. This is all speculative, of course, and as with most things it will be driven by the market. But rather than abandoning the IoT altogether, it’s likely that people will spend more in order to feel safer. That, more than harsh words, may change things for the better.
MCS delivers integrated real estate, workplace and facility management software solutions for large private or public sector organisations, helping to improve real estate performance in terms of total cost, risk reduction, employee satisfaction, brand perception and sustainability.