How to stop the Army of Things

On Oct. 21 2016, a severe distributed denial-of-service (DDoS) attack that affected Amazon, Etsy, GitHub, Spotify, Twitter, New York Times, Vox, Airbnb, Netflix, Reddit, and many others employed a massive botnet made up of hundreds of thousands of internet connected devices infected with malware called Mirai. The device army exploited default and weak passwords to direct many gigabytes of data to targeted servers.

One can make the case that much of the blame for this and other recent DDoS attacks lies with Internet of Things (IoT) device and networking equipment manufacturers. In the rush to bring new devices to market, manufacturers too often leave security as an afterthought, opening huge gaps that hackers will eventually exploit. Builders of consumer-oriented IoT devices and remote control smartphone apps are especially at fault because there should never be any expectation that consumers have the incumbent technical knowledge to properly configure IoT devices and home routers.

[ BACKGROUND: An IoT bonnet was partly behind Friday’s massive DDoS attack ]

Importantly, virtually all consumer oriented IoT devices and router systems use passwords as the primary user authentication mechanism for configuration. In the bright light of the recent DDoS attacks, every technology professional in companies victimized by DDoS attacks should recognize the IoT security situation for what it is: technological catastrophe.

Technology professionals managing security for large companies should know how to properly configure network routers and IoT devices. This is not true of the millions of consumers around the world installing mass market routers and IoT devices in their homes. While large companies may not think weaknesses in consumer IoT products are something they should worry about, larger companies are more attractive targets for DDoS attackers.

Small and midsize businesses are also at risk but many hackers want to make political or social statements as we saw in the Oct. 21 attacks. Such attacks affect consumers only to the extent service providers such as Amazon or Netflix are affected.  It should be noted that consumers will not be sympathetic to an argument casting Amazon and Netflix as victims. That these companies’ websites are inaccessible is all that concerns the consumer.

There is an overarching solution – elimination of passwords as an IoT and networking device authentication method. Targets of DDoS attacks, regulators, and legislatures hold the keys to ensuring that this solution is implemented.

The best approach will come from the private sector. Companies targeted by DDoS attacks should demand that networking equipment and IoT device manufacturers eliminate password authentication and improve other aspects of security. This can be very effective because manufacturers of consumer-oriented IoT and networking devices produce similar products for business customers.

Products built for businesses typically have higher profit margins so business customer dollars are inherently more powerful. There is little doubt that manufacturers will resist, claiming that customers will not accept change or pay more for better security. A counterargument is that manufacturers lack imagination. They can continue to offer current technologies as they introduce more secure devices, raising prices on older systems higher than newer, more secure alternatives. The less secure systems will gradually fade away. Business customers can also demand discounts when buying enterprise networking and IoT equipment on the basis that less secure consumer-oriented products raise cybersecurity liability for all businesses.

Another solution is ‘soft regulation’ where regulators become much more vocal in moving device manufacturers toward more secure authentication methods and simpler configuration procedures. Government agencies can help the regulators by mandating that government buyers acquire only those devices meeting a much higher security standard. Governments are part of the preferred market forces approach.

The least desirable solution comes from the legislative hammer. Governments could employ ‘hard regulation’ through new legislation. Lawmakers might justify such action by raising the argument that DDoS attacks can affect infrastructure critical to national security.

Until serious pressure is applied on IoT device manufacturers by every company in the crosshairs of DDoS attackers, exploding numbers of IoT devices will become soldiers in an ever more devastating hacker army.