After the biggest DDoS attack of all time was reported in late September, cyber-criminals wasted no time in mounting their next operation. Less than a month later, a further broad-based attack crashed major online services including Twitter, Spotify, Netflix and PayPal. As before, a large number of smart devices connected via the internet of things (IoT) were hijacked to mount the attack. They included everything from video recorders to home-based routers and manipulated webcams. These crimes are becoming more and more frequent, demonstrating that cyber-criminals have understood that the huge number of smart devices has the potential to cause major damage. After all, most connected devices are almost (or even completely) unprotected. This is why companies and individuals need to rethink the way they protect their devices. They need a strategic approach that starts from the internet itself – not the device.
A quick glance at the current situation shows that protecting connected objects looks like a Herculean task. In a rush to follow the trend towards digitalisation, more and more companies are internet-enabling their products. Yet this produces a challenge in that companies who until now have made their name producing coffee machines or fridges have suddenly become IT companies – and often they are not equipped for that. As a result, devices in today’s IoT market include a wide range of software and communication protocols. Rather than adhering to unified standards, device manufacturers are simply doing their own thing. Yet this makes it significantly more difficult to protect their devices efficiently.
A further problem is that most web-enabled objects are not designed to have security software installed on them. The manufacturers’ priority is often to get the smart device on the market as fast as possible and security is lower down the priority list – or not on it at all. The fact that these manufacturers are not used to dealing with IT in their devices makes everything more difficult.
IoT protection from the cloud
As it is practically impossible to protect every device individually – from both the technical and economical viewpoint – it is clear that we need to take a higher-level approach to IoT security and see it as a strategic issue. The explosion in the number of web-enabled devices now makes it essential to centralise protection.
Cloud-based protection can be installed directly into the infrastructure in place at telcos as well as mobile and other service providers. This approach ensures that the threat cannot reach the device in the first place. There is no need for customers to install software and any smart device can be protected, even if it does not permit any software modifications. That stops cyber-criminals from infecting devices and also limits the damage by those that may already have been compromised – regardless of their type or the software and standards they use.
Using this approach, Secucloud is currently working with several large telcos and mobile providers – including T-Mobile in the Netherlands – to fight botnets and DDoS attacks. We have also recently started offering these firms an IoT anti-bot package that they can use to protect their customers’ smart devices from cyber-attacks.
Hackers planning a cyber-attack balance the cost against the benefit. If the cost of attacking a specific target is too high for the benefit they want, the target quickly becomes unattractive. By expanding cloud-based protection, cyber-criminals have fewer ways to attack and infect masses of IoT devices relatively quickly and easily. That, in turn, reduces the potential for broad-based DDoS attacks like those we have seen on IoT devices.
