The IoT is expected to comprise 20.8 billion devices by 2020, with Gartner estimating that 5.5 million new “things” went online daily during 2016. Nevertheless, as Forrester analysts emphasize, robust IoT security remains mired in the “creation phase” along with nascent interoperability standards.
Unsurprisingly, malware targeting IoT has matured considerably, with the number of attacks focusing on IoT devices multiplying in recent years. According to Symantec, lackluster security makes IoT devices a soft and appealing target for attackers. This is because embedded devices rarely receive any notable firmware updates and are typically only replaced upon reaching the end of their respective lifecycles, which may be considerable. Moreover, victims may be unaware that their connected devices are compromised. Indeed, a recent Network World report confirmed that an IoT security camera can be infected with malware merely 98 seconds after going online.
As more and more “things” connect to the Internet, the danger of nefarious attackers exploiting unsecured devices looms ever larger. It is therefore important for the industry to be cognizant of the very real threat posed by vulnerable IoT devices. Once infected with malware, IoT devices are often hijacked and instructed to join botnets that execute distributed denial-of-service (DDoS) attacks against Internet services.
DDoS attacks are frequently executed by botnets comprising vast numbers of exploited IoT devices. The issue of protecting Internet infrastructure companies and services from DDoS attacks should be addressed separately, although this poses its own challenges and (alone) will not be sufficient to mitigate the risk.
Nevertheless, protecting IoT endpoints from being hijacked and used in a botnet can reduce the overall effectiveness of DDoS attacks by depriving attackers access to potential endpoints. Indeed, securing the internet connectivity of IoT endpoints acts as a critical bulwark against nefarious botnets that exploit and recruit hundreds of thousands of defenseless “zombie” devices.
Put simply, an attacker cannot add a device to a botnet without establishing an unauthorized communication channel. Allowing only legitimate, verified cloud services to communicate with
IoT devices will help prevent the creation of such rogue channels. This paradigm, facilitated by a device personalized hardware root-of-trust, ensures that each IoT endpoint can only connect to an authorized service, thereby thwarting unauthorized access to the device and potentially exploitable design vulnerabilities. In addition, each IoT device is uniquely and cryptographically verified to determine if it is authorized to connect to a specific service, protecting the service itself from malicious or compromised endpoints.
Although IoT security has frequently been treated as a tertiary afterthought rather than a primary design parameter, the “Strategic Principles for Securing the Internet of Things” recently outlined by the U.S. Department of Homeland Security (DHS) could may very well herald a new era for the semiconductor security industry. To be sure, the DHS recommends building IoT devices with chips that integrate security at the transistor level – embedded in the processor itself – to provide encryption. Such silicon-based capabilities, together with a strong end-to-end security between IoT devices and back-end service infrastructure, can mitigate many of the security risks of the IoT revolution.
Interested in learning more about the mitigating DDoS attacks with secure IoT endpoints? You can check out our eBook on the subject here.