The battle for IoT Security has already been lost

Chris Wallis
Intruder
Published in
3 min readOct 21, 2016

A few weeks ago, the website of popular cyber security journalist Brian Krebs was taken offline by a previously undiscovered botnet, now known as the Mirai botnet.

The attack was interesting for a number of reasons. First of all, it was at the time the largest DDoS attack in history, peaking at 620 Gbps (although there have already been reports of bigger ones). It was also the biggest marketing gaffe of the year, as Akamai dumped Krebs from the pro bono DDoS protection services they’d been offering him, missing an opportunity to claim they’d defended the world’s biggest DDoS attack, and instantly securing themselves a load of bad press.

Most interesting of all though, it was the first big warning that the battle for security in the IoT space is being lost, and a taste of things to come.

There’s a lot of buzz in the industry at the moment around how we are going to secure all of these IoT devices (which are predicted to reach 20 billion by 2020), and a variety of new startups have sprung up claiming to do exactly that. But unfortunately, as the recent attacks show, it may already be too little too late, as the first battle has clearly already been lost, and it is my prediction that we will continue to lose the war for a good few years to come.

Why is this?

Well fundamentally it’s because IoT device manufacturers are not incentivised to spend money on securing their devices. But it’s not their fault, they aren’t incentivised because consumers don’t incentivise them with their buying patterns. And in fairness to those consumers, it’s nigh-on impossible to tell the difference between an IoT device that’s been developed securely and one that hasn’t. Consumers can tell what’s simple though, and as security controls generally impede on nice user experiences, it’s no wonder that we still see devices being shipped with default credentials.

There is also the issue that cyber security is a complex and multi-faceted beast, and fundamentally any device, even one that has been developed ‘securely’, has the potential to have new weaknesses discovered in it later on. Meaning that unless all IoT devices are hooked up to some kind of automatic patch management service, we are always going to end up with a problem on our hands.

So instead of focusing our efforts on trying to ‘secure’ something which is without doubt never going to be secure, I would argue instead that we need to start preparing for the future of which we’ve just had a glimpse, and be ready to defend ourselves from ever increasing sizes of botnets.

As the EU and other nation states become increasingly wary of where their data is being physically stored, I can see a future where internet controls are implemented at a national level, at the “cyber border”, rather than being left down to individual site owners. So for example, traffic from known-bad IP addresses of botnet members would be filtered at a nation-state firewall in the UK before reaching any of our sites.

For now though, the best way we can influence the war, is not by coming up with clever technical solutions, but as consumers, by voting with our wallets, and avoiding brands which are linked to inferior security products. And if you’d like to start today, a list of the compromised devices involved in the Mirai bonnet can be found here: https://blog.sucuri.net/2016/09/iot-home-router-botnet-leveraged-in-large-ddos-attack.html

--

--

Chris Wallis
Intruder
Editor for

Prior to founding Intruder, Chris worked in cyber security for a decade and has worked with clients ranging from the FTSE 100 to early-stage startups.