The Distributed Denial of Service (DDos) attack on Dyn, an East Coast-based company that monitors and routes Internet traffic, brought down major Internet sites in the U.S. and U.K. for the better part of a day. It also put a spotlight on future threats that may loom for unsuspecting consumers with unprotected IoT devices. This particular attack used unsecure devices, such as IP-connected cameras with weak security policies, as tools to perform the attacks through malicious malware.
Thankfully, to our knowledge, no Arrayent-enabled products have been impacted by this recent ‘Internet storm.’ And we have been working closely with our customers to monitor the situation.
Curiously, the attack happened in the middle of National Cybersecurity Awareness Month which was designed to be an annual education effort for consumers. The reality of last week’s attack probably did more to bring both industry and consumer awareness to the problem than almost anything in the campaign’s 13 years of existence.
Unfortunately, some IoT devices, particularly those launched in the early days of connected devices, lack basic cybersecurity protections such as strong passwords and encryption. But even for devices that have the basics, consumers are often unaware and uneducated on how to best secure them.
As analyst Ben Bajarin of Creative Strategies pointed out in a thoughtful Techpinions blog last week, “The challenge the industry has is to bear the burden of taking the necessary steps to provide increased security and encryption of these devices because the reality is many consumers will not know to take additional measures themselves.”
As a company that runs an IoT platform, we take security seriously. We know it matters deeply to our customers, big consumer brands, and their customers. That’s why we advise our client companies that security has to be built into connected products from the beginning and not as an afterthought.
At Arrayent our core belief is that the best defense is a good offense, and that includes architecting systems based upon proactive authentication and authorization. We also believe that the ‘things’ in IoT should remain being ‘things’ and not require additional specialized chipsets with copious processing and memory capabilities which can increase costs and induce security flaws. Our mantra is that the cloud is inherently safer and where increased computing requirements should be located instead of within the devices themselves. While clouds are not impossible to hack, if approached correctly they are fundamentally more secure, being harder to exploit than consumer-managed devices on the ground.
Different IoT platforms approach security in different ways. Big brands who have a lot to lose put enormous scrutiny upon the IoT platforms they choose to connect and manage their IoT products. In the end, our entire industry must step up our efforts and be prepared for new attacks. We must continue to advance security technologies and techniques and be vigilant in our product design and implementation to try to prevent them.
Lastly, we believe the fight for cyber security today relies too heavily on a partnership with consumers taking required steps to secure their own devices. Ultimately, devices should maintain high levels of security without requiring users to jump through hoops. A user-centric view of security design should be a top requirement of companies focused on IoT. The very adoption of connected consumer products may hang in the balance.