It didn’t have to happen.
Last month’s massive distributed Denial-of-Service (DDoS) attack on Domain Name System (DNS) service provider Dyn, which used a botnet of thousands of Internet of Things (IoT) devices to disrupt dozens of major websites including Twitter, Spotify, PayPal, GitHub, CNN.com and the New York Times, could “easily” have been prevented.
That contention comes from the Online Trust Association (OTA), creator of what it calls the "IoT Trust Framework", 31 principles designed to improve the security and privacy of connected devices and data, which it released this past March (see sidebar).
The declaration was not a direct response to the Dyn attack – it came more than a month earlier on Sept. 8. The OTA announced that, “every vulnerability or privacy issue reported for consumer connected home and wearable technology products since November 2015 could have been easily avoided.”
Not some. Not most. All of them.
Which would appear to run counter to the mantra of every security expert in the world: There is no such thing as 100 percent security.
Craig Spiezle, OTA executive director and former director of security and privacy at Microsoft, agreed that a blanket statement like that, on its face, could easily be interpreted as hyperbole.
“There is no perfect security,” he said. But he added that IoT devices could and should have vastly better security than they do, and if they did, a DDoS attack like the one against Dyn would have been difficult to impossible.
Unfortunately we have yet to see leadership from any of the companies or platforms to embrace these or other security fundamentals.
Craig Spiezle, executive director, Online Trust Association
“What we have observed is that the inherent design of the devices, and their supporting applications, have not embraced security fundamentals nor fully anticipated the need for a security development lifecycle discipline – what we call ‘sustainability,’” he said.
While the mainstream media and some government officials presented the attack as a shocking development, security experts agree that nobody should have been surprised.
Since the “birth” of the modern IoT, said to be around 2008 – the point at which there were more connected devices than people in the world – there have been constant warnings from security experts, in everything from blog posts to television interviews to conference keynotes, that those devices were insecure – catastrophically insecure.
Among the numerous vulnerabilities are that most of them have open and discoverable administrative controls, default passwords and no capability to be patched or updated.
Experts have warned that an attack surface that broad and vulnerable would prove irresistible to criminal hackers.
Sign up for CIO Asia eNewsletters.