Back in December of 2016 I wrote a piece for HelpNetSecurity on IoT worms, and how devices can quickly fall under the control of a malicious third party. Such attacks are still at the theoretical phase, but we’ve already seen plenty of evidence that IoT devices can, and will, be used to perpetrate other kinds of malicious activity.
The attacks last year in which IoT devices were used to perpetrate DDoS attacks show the potential of a massive number of poorly secured devices being subverted for malicious purposes. It’s frightening because the IoT will consist of billions upon billions of devices, and if even a small percentage are poorly secured, we will be handing a huge amount of computing power over to hacktivists, cyber-criminals, or unfriendly nation states who may well use it against us.
However one thing that has really not been as heavily discussed is the impact, not of turning these devices against us, but of simply turning them off. As these devices become part and parcel of our daily lives, whether it’s smarter cars, smart cities, smart homes, smart medical devices, or smart, well, anything, we will inevitably become more and more reliant on them. In fact, not only will we become reliant on the additional functionality they offer up (a fridge that orders food for you before you run out) but in many cases there simply won’t be an alternative “dumb” version to fall back on.
It’s one thing to deal with a smart oven that reverts to just being a dumb version you have to turn on yourself. But what happens when the smart electric metering system goes off line and your house (and every other house in a several hundred mile radius) goes dark? What if you had to wait weeks, or even months, for power to come back on?
Denial of Thing (DoT) attack
The IoT offers up immense potential to change our lives for good – to provide environments that are safer, cleaner, better places to live and work. IoT healthcare advances will save lives by providing information gathering, medicine dispensing, and emergency response to everyone, when and where they need it. But the same power to change comes at a cost, and if these devices cannot be built with security at the forefront of design, and if they aren’t delivered with software that is resilient enough to survive constant attack, then the very real risk is that attackers can take them away. Such a Denial of Thing (DoT) attack could potentially dwarf the impact of even the most widespread Denial of Service attack, simply because it could so directly affect people’s lives, work, home, travel, and safety.
Denial of Things isn’t something we’ve had to deal with now, but we need to build the IoT, and the software that powers it, with extreme resilience in mind. We need to implement the best software development practices in the devices and the services they rely on. And we need to understand how to manage the behavior and identities of all those billions of devices so we can head off attacks before they become crippling to our economy and our society.
The cost of IoT
The IoT, like all technological advances, comes at a cost. And the cost in this case may simply be our growing addiction to smart technology, an addiction that will leave us unable to continue when all those smart devices go suddenly, irreparably, dark.
Is this something you’re concerned about, or do you think the IoT is going to be resilient enough? Find me on Twitter if you’d like to discuss this further.