It’s important to differentiate between two types of attacks on IoT devices: 1) indirect attacks vs. 2) direct attacks. In ‘type 1’ indirect attacks, the goal of compromising IoT devices is to use them to conduct cyberattacks against other external targets. In ‘type 2’ direct attacks, the goal is to conduct some sort of ‘local malfeasance’ right there at the device itself—such as to cause some malfunction or physical damage to the machine/environment that the device is embedded in, or steal data from the machine, or surveil the environment, or gain entrance to the facility, or perpetrate other types of misconduct right there at the device or its immediate vicinity.1
A high profile example of a ‘type 1’ indirect attack was the DDoS (Distributed Denial of Service) attack against Dyn (a major DNS service provider) in October 2016. This attack exploited security weaknesses in tens of millions of IoT devices to create a botnet generating over 1 TB/second of traffic directed at overwhelming Dyn. This made dozens of major internet sites (e.g. Amazon, Twitter, Netflix) and other internet services unavailable to users across large areas of North America and Europe.
Figure 1 - Outage Map, October 2016 DDoS Attack on Dyn, Originating from Compromised IoT Devices
Lack of Market Incentives for Strong Security
Unfortunately, the market rewards time-to-market and lower prices over robust security for many classes of IoT devices, especially for the low-end devices that are commonly hijacked for use in creating a cyber-attack such as IP cameras, home automation systems, home gateways, connected printers, baby monitors, and so forth. The owners of the devices may never even know that they were used for an attack, as the device keeps functioning normally for them. The manufacturers of the compromised devices may, in high profile cases, get mentioned in the press; but so far that ‘shaming’ has not had a big impact on consumers’ decision-making process in selecting devices. One idea is government mandates; in the same way that airbags and seatbelts are mandated in all vehicles, some sort of minimum default security might be required.
‘Type 2’ direct attacks, where the goal is access to the IoT device (and by extension the sensors, machines, and environment that the device is connected to), have the potential to be even more destructive and disruptive. Criminals, terrorists, and malicious foreign governments may seek to hack into an internet-connected lock/home security system to rob or kidnap someone, hack into a car for theft or to remotely kill someone (e.g. by disabling the brakes),2 hack an airplane to crash it, or hack a traffic light system or power system to wreak havoc and hold a city or region hostage. In theory, this should create a much higher motivation to make these devices secure. However, we’ve seen from the track record of non-IoT cybersecurity that too often the same lack of resources or attention occurs, even for high-value targets. Thereby, successful cyberattacks are still very common.
Seven Principles for Stronger Security
The IoT Security Imperative asserts that manufacturers and deployers of IoT devices and systems (especially potential targets for direct attacks) have a moral obligation to vigorously and comprehensively address security. The following seven principles can serve as guideposts to enable stronger IoT security:
Security designed in from the start
Security for legacy and limited resource devices
Granular and scalable security
Protect against social engineering and insider malfeasance
Encourage robust, independent security testing
Prioritize security investments
To learn more about these seven principles, please see 7 Principles for Stronger IoT Security. You may scroll down to the middle of that page to see details of the seven principles. You will also find valuable additional IoT-security-related resources at the bottom of that article.