IoT’s big open door
The issue with IoT devices is two fold: many are easy to hack, and many can’t be patched to block security exploits. Many IoT devices share the same embedded operating system chipsets with Root-level passwords baked in. They can’t be changed, and once known are exploitable by anyone familiar with Shodan and savvy enough to follow hacking scripts.
As IoT device users, there’s little we can do to stop the problem short of disconnecting everything from the internet. Thermostats, cameras, and refrigerators don’t have any business being online—or so the argument goes.
In my case, a Web connected thermostat alerted me when my air conditioner stopped running on an especially hot day. It was about 98 degrees fahrenheit when I rushed home, and since I had planned on being gone much longer it’s likely the indoor temperature would’ve risen high enough to kill my cat.
My parents offer up a less dramatic example of IoT put to good use. They live in the mountains at about 8,500 feet altitude and it gets painfully cold in the winter. Their heating system warms ceramic bricks during off-peak electrical times, and by talking with the power company it can intelligently decide when to do its thing.
If these devices are potential hacker targets, why not use a platform that promises stronger security, like Apple’s HomeKit? While HomeKit does offer security enhancements to help keep hackers from remotely turning your lights on and off, or unlocking your front door, the underlying technology driving those products may be susceptible to the same security breaches.
Most HomeKit-ready devices also support other platforms, and the underlying chips driving both are potential targets for hackers. The practical security in HomeKit is that any device using the protocol is secure within Apple’s environment; anything the devices do outside of HomeKit, however, is still just as vulnerable—or secure—as it would be without Apple’s platform.
Plugging the iOT security hole
Which brings us to the really big question: What can users do to protect their IoT devices from being hijacked to participate in DDoS attacks? The answer is, nothing short of unplugging them.
The fix needs to come from manufacturers, and fixing the devices we already own isn’t going to happen. Dave Hamilton dove pretty deep into IoT security issues on Mac Geek Gab, and suggested on TMO’s Daily Observations podcast that the practical fix might come from router makers.
Since your router is the nexus for data coming into, and passing out of, your private network, it’s the perfect place to watch for IoT devices participating in DDoS attacks. When unusually high outbound traffic is detected, your router could block the rogue device from sending outside of your own network.
That would address the problem without forcing everyone to throw away the IoT gear they already have. It also means we’ll likely need government regulation to impose traffic throttling requirements on router makers.
Changes like that don’t happen quickly, and that means the doors are still wide open for other hackers to follow in New World Hackers’ foot steps. It also means any of us could’ve played a part in the DDoS attack on Dyn, and may be involved in future attacks, and won’t ever know.