October's massive DDoS attack was yet another reminder of the poor state of Internet of Things (IoT) security. The main culprit of the attack was a huge IoT botnet--a network of compromised connected devices being commanded by hackers--which took down services that granted access to millions of users to major sites such as Twitter, Netflix, PayPal and Spotify.
There's presently a lot of frustration surrounding who is to blame for the mess and general concern over whether the IoT industry is a failure threatening to destabilise the entire internet infrastructure.
The truth is that, at this stage, the IoT security conundrum is a complicated equation that can't be solved by any single party. IoT security concerns everyone, even those who don't own IoT devices or don't know what it is, and it is a problem that needs to be addressed through concerted efforts by all the stakeholders--that means all of us.
Here's how the involved parties can and should react to October's DDoS attacks.
IoT Manufacturers and tech giants
As the entities responsible for all the vulnerabilities that are being found and exploited in IoT devices, manufacturers are expected to lead the main effort to ensure the security of future products and also to look into plugging security holes in currently connected devices.
The painful experience endured by Hangzhou Xiongmai should serve as a lesson to other tech firms. The Chinese electronics manufacturer was forced to recall thousands of its products after researchers found that the firm's webcams accounted for a considerable percentage of the devices used in the October's attacks.
Hopefully, the Xiongmai episode will help change the attitude of companies that neglect security and reliability issues for the sake of cutting down costs or shipping products to market before their competitors do. Companies must recognise security as an essential part of product development instead of considering it as an afterthought.
They should also put more care into integrating over-the-air (OTA) update mechanisms into their products in order to be able to patch vulnerabilities without requiring recalls.
Other measures include avoiding bad practices such as static encryption keys and default admin passwords embedded in products.
But product recalls do happen eventually, and companies should be able to prepare themselves for the day they will be required to collect vulnerable devices that can't be patched remotely. The awfully painful and costly process can be facilitated with the help of blockchain technology, which can provide transparency and visibility into the ownership of devices and components and streamline the process of identifying vulnerable products, reaching out to their owners and registering product updates.
Finally, tech firms must cooperate more on regulating and standardising IoT security. We've seen some positive developments in the past year, such as the efforts lead by the IoT Security Foundation, which aims to establish guidelines and principles for IoT security. Now, more than ever, tech firms need to support initiatives such as those of the IoTSF.
For their part, consumers must first recognise that they are partly to blame for the lack of security in the IoT industry. With customers being focused on ease of installation and use rather than security, there's no incentive for manufacturers to make more secure devices, and they'll go out of their way to avoid disenchanting users.
While it is the duty of manufacturers to create frictionless security into their devices, customers must come to accept that increasingly connected lives will warrant a change of culture at the consumer level.
This effectively means that consumers must understand that connecting vulnerable devices to the internet will not only harm the owner, but all internet users in general. Therefore they should hold companies to account for insecure devices and be mindful of the security of the devices they purchase.
Consumers should also make it a priority to learn and adopt best security practices for smart homes and offices, such as changing default passwords, updating device firmware and software, and disabling unnecessary features.
With so many vulnerable devices already connected to the internet, internet service providers can play a vital role in preventing IoT devices from becoming instrument to future attacks.
One of the main ways ISPs can help fight against the ill use of compromised IoT devices is the adoption of standards such as BCP38, which is designed to prevent spoofing and amplification, techniques used by hackers to reflect their malicious traffic onto their victims from one or more third party machines.
However, while the BCP38 has been around for a long time, many ISPs ultimately decide not to adopt it due to economic reasons. Hopefully, the October 21 attacks will serve as a wake-up call to ISPs, reminding them that the costs of not adopting anti-DDoS measures can be much heavier and the damage can be irreparable.
As security researcher Brian Krebs reports, efforts are being led to identify service providers and ISPs that do not filter out spoofed internet traffic and to expose them. This will likely incentivise others to do the right thing. Yet the efforts can truly bear fruit only if major hardware and operating system companies, cloud providers and organisations that deliver major web servers join efforts and create the necessary infrastructure to provide visibility into ISP security practices.
ISPs should also do more to notify customers when devices on their network are sending or receiving malicious traffic. This can help unwary customers find out about compromised devices and take action to secure or isolate them. Unfortunately, many ISPs don't view this as their problem and therefore don't allocate time and resources to it. This too should change in wake of the massive attacks.
Finally governments can act as the catalyst that makes sure all the parties do their part and are held to account if they don't. Some notable efforts have been seen, such as a U.S. government-led solicitation to encourage startups to address IoT security issues, and a legislation by the European Commission that will beef up cybersecurity requirements for internet connected devices.
While these efforts are noteworthy, more should be done on the global scale, since cyberthreats know no borders, and in the case of IoT botnets, attacks are carried out from millions of nodes scattered across the world.
With the pervasiveness of the internet of things, only a joint effort can ensure a safe and secure future. Everyone should make IoT security their business, or else no one will be spared.