Will our home devices be the next DDoS?
Security

Will our home devices be the next DDoS?

This is a contributed piece by Mike Patterson Founder and CEO of Plixer

You would think - if the greater internet community has learned anything leading up to the Internet of Things (IoT) wave of products, it is that security needs to be built into the device from the get-go, but for some vendors, this hasn’t happened.  With recent headlines including a serious vulnerability affecting over 120 D-Link products and an IoT botnet launching 400Gbps DDoS attack, it is clear that consumers are on their own when it comes to securing IoT devices. Who should be held liable for the internet attacks being launched from the IoT devices in our homes, our cars or even in our bodies?

  • The manufacturers who designed and built the devices?
  • The stores and distributors who sold them?
  • The consumers who didn’t secure their IoT device?
  • The internet service providers?
  • The firewall vendors that didn’t stop the attack?

Good luck putting a finger on any of the businesses behind the above - it just isn’t going to happen. You would think that the security responsibility would be improving but for some vendors it isn’t.  Why aren’t all IoT device manufacturers putting in an effort to contain this wild west of cybercrime? After all, it isn’t all that hard to code in good security features on IoT devices. Take Google Nest Thermostats for example.

The only successful Nest hack reported to date required physical access to the device which isn’t all that likely to happen because most hackers will move on to find an easier target. However, it is probably just a matter of time before these are hacked as well. Ultimately, there is really only one way to ensure the device isn’t hacked – cut the receive wires. This wouldn’t be a solution for all IoT devices but, in some cases it makes sense.

Consider the latest cars being sold on the market. Many of them are now sending information back to the mother ship (e.g. Toyota) which is turning the information sent from the on board Digital Communication Module (DCM) in our cars into big data up in the cloud. They aren’t only collecting information about our cars (e.g. speed) and where we are driving but, also sending information down to our cars as well.

“But we won’t sell that data to the police,” said Hiroyuki Yamada, General Manager of the E-Toyota Division.

If a car has the ability to receive instructions from the internet, some might like the ability to sever the receive wires completely.

Hackers have already proven that they can disable our breaks, accelerate the vehicle, deploy the air bags or even turn our steering wheels. If my car is having problems, the auto maker could identify this in the data they received and send me a text message to get the car serviced. My car could receive updates only when I’m at the garage and sitting in the waiting room. Not when I’m driving down the road.

Who is going to be responsible and provide compensation if someone is killed because of a hacked automobile? In all likelihood - no one. With credit card numbers, it potentially costs us money which is frustrating. But with cars, it could cost someone their life.

A lot of diabetics with insulin pumps and heart patients with pacemakers would also prefer a transmit (send) only function in their on board computers if they knew the devices could easily be turned against them. Instead, a text message warning them to take care of something right away might prove just as effective and be less risky than receiving instructions from a hacked source. 

Vendors argue that the benefits of being able to push data down to IoT devices will allow for a better overall user experience which might be true but some consumers might want to have a choice. For example, many computers don’t ship with a camera shutter. As a result, all it takes is clever hacker to activate the camera remotely. Once they have access to the camera, a person could become the next victim of sextortion.

What we need is for some organization to push for legislation like we saw in the banking industry. IoT manufacturers need to:

  • Sell subscriptions for routine updates for the expected life of the product (minimum x years).
  • Fix discovered bugs and vulnerabilities within x amount of time else, suffer a fine per device sold. Money should be held in escrow.
  • Provide full disclosure to consumers when / if their IoT device is hacked.
  • Be subject to auditing on the above to ensure they are compliant.

The “chip card” legislation, on Oct 1st, 2015, puts the cost of replacing stolen credit cards onto the business where the card was stolen. We also need to enforce tougher punishments against the individuals involved with cybercrime.

One thing is for sure, consumers love their IoT devices and more consumables are on the horizon.  Just remember, if it has a computer, it can absolutely be hacked and probably will be. Think about the data it will have access to before making your purchase as most of these computers have both transmit and receive capabilities.

 

Also read:

The IoT “time bomb” report: 49 security experts share their views

PREVIOUS ARTICLE

«Rant: The long road ahead for driverless cars

NEXT ARTICLE

We Were Mostly Wrong: Looking back at 25 years on the web»

Add Your Comment

Most Recent Comments

Resource Center

  • /view_company_report/775/aruba-networks
  • /view_company_report/419/splunk

Poll

Crowdfunding: Viable alternative to VC funding or glorified marketing?