How to secure Things in light of recent DDoS attack? Make them invisible.25. October 2016
Last Friday’s DDoS attack. What exactly happened?
While we were at Nokia’s Open Innovation Challenge in Paris talking about how to secure IoT in the future, one of the biggest domain name services, Dyn, experienced a brutal DDoS attack. If all the big players like Twitter, Spotify, SoundCloud, PayPal and others were not its largest customers, we would probably not hear about it in the mainstream news. But we did, and it shocked us all. Millions of people were affected and this caused havoc and some serious discussions about the future IoT security. Why are we all concerned and why is IoT in the spotlight? Because the attack came from an Internet of Things device – a camera from a Chinese company, Hangzhou Xiongmai Technology. These cameras were attacked by a malware called Mirai, which basically infected them and used them to overload websites with requests consequently taking them offline.
Are updates really the only way forward? Yes, if you can afford spending approx. €20K per update.
Gartner’s most recent prediction says that “By 2025, there will be over 100 billion Things connected to the internet”. When you think that among the “Things” are your door locks, cameras at home, your PC, webcam and other devices, you might be not so keen on IoT in the long run.
When asked for a solution, Hangzhou Xiongmai Technology’s spokesperson said that the only way they know would be to ask customers to carry out regular firmware updates. Easier said than done. No one mentions that these updates must be made available and maintained regularly by the manufacturer which is associated with very high costs. To break it down: a need for an update needs to be recognized, after that it can be created, then tested and finally rolled out. With this in mind, resources and know-how have to be maintained long term reducing their availability and capacity for new product developments.
When it comes to your door locks for example, being connected to the Internet makes them super vulnerable which we just saw last Friday. The manufacturer therefore has to maintain and monitor them non stop. This constant monitoring alone, the above maintenance plus looking after the customer if something goes wrong costs as much as around €20K per update.
Media are buzzing with hundreds of solutions for the DDoS attack. How about keeping Things connected but just taking them offline?
We have read many articles following the DDoS attack. Companies claim they have IP protection technologies, can protect servers or there are firewalls that inform you about the threat. However, the first option just adds another layer to the already complex network of connected things which slows things down and the firewall, while great, informs you too late about an attempted attack. How about you do not expose yourself to the malware in the first place? Would it not be great to put an invisible cloak on your Things so that they are not visible to the attacker?
It is possible with BlueID which was designed exactly for this purpose. BlueID keeps you invisible to the attacker. BlueID is your invisible cloak.
Imagine there is a serious illness easily spread from one person to another. You have three ways of protecting yourself from it. You either get it and have to treat it with medicine, you get a vaccination (smart firewall) or just do not get exposed to it at all (BlueID).
If you could choose, which option would you take?
How does BlueID make your door locks invisible to attackers?
BlueID is an IDaaS IoT solution which does not put your Things in the vulnerable Internet environment. It keeps them nicely and securely connected but does not need any Internet for it. The only thing connected to the Internet is the user’s smartphone and BlueID Trusted Server which is robustly secured. On the smartphone side, we have all the protection measures implemented by their manufacturers. It is a common knowledge that Apple and Google are continuously inventing new ways of securing our smart devices.
In conclusion, with BlueID, your door locks are not levitating in the dangerous Internet space any more. The potential attack likelihood is small. The UX is great due to the ultra fast response time. Simplicity once again solves a complex concern in a sophisticated way and we are ready to welcome the 100 billion Connected Things in 2025 with confidence.
Krebs on Security: https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/
Heise DE: https://www.heise.de/security/meldung/Source-Code-von-maechtigem-DDoS-Tool-Mirai-veroeffentlicht-3345809.html