National newspapers have reported that IoT devices were infected and then used to take part in the cyber attack that ultimately impacted a number of leading web services last week. In the UK, the Daily Mail referred to the attack as ‘a troubling new spin on an old hacker attack known as distributed denial-of-service (DDoS), where millions of devices in the fast-growing Internet of Things took part in the cyber onslaught.’
According to the FT, cyber criminals targeted Dyn – the domain name services company that translates addresses that humans can read into IP addresses – twice within hours. The newspaper says DDoS attacks are rising and added: ‘The intensity of recent attacks has increased sharply because hackers are using Internet of Things devices — including routers, webcams and baby monitors — to launch the attacks.’
The attack is a timely reminder about the potential trouble if millions of new Internet-connected devices are installed in homes if they are not adequately protected against misuse. There is also an obvious consumer-facing threat if devices like indoor cameras (including baby cams) can be hacked. As well as being a challenge for every industry, IoT security is therefore a major opportunity for communications infrastructure service providers (like broadband providers) and companies from the TV vendor ecosystem with content (and therefore data, data-link and cloud) security expertise.
Looking at IoT security from a consumer point of view, the research firm Parks Associates has found that almost half of U.S. broadband households rank privacy as their greatest concern when connecting devices to the Internet. The company has highlighted wider issues associated with the growth in data analytics including the use of viewing and consumption history.
According to Brad Russell, Research Analyst at Parks Associates: “Near the end of 2015, 40% of U.S. broadband households reported having a recent privacy or security problem with a connected device, primarily a virus, spyware, or a company tracking them.
“In 2016, nearly 60% of U.S. broadband households are bothered when their online viewing history is used for advertising, and nearly 40% of U.S. broadband households worry about the safety and usage of their personal data through an online video service.”
Craig Payne, Security & Privacy Officer at Ayla Networks, which provides an IoT platform, says: “Maintaining data security and data privacy in IoT solutions is as difficult as it is necessary. Delivering IoT security and privacy is not a one-time event. Rather, it is an ongoing effort that requires up-to-date understanding of the interplay among IoT technologies, constantly updated regulations, and the evolution of how IoT data is generated, shared, and used. The most effective approaches begin with a proven, comprehensive IoT platform that provides end-to-end, integrated security.”
Returning to the specific issue of DDoS attacks, Akamai reminds us that they attempt to bring down and infiltrate web sites by flooding the site’s origin server with bogus requests, often from multiple locations and networks. “If allowed to proceed unchecked, DDoS attack traffic can produce results ranging from slow page loads to a complete blockage of legitimate site traffic,” the company explains. Akamai says it is virtually impossible to build out sufficient infrastructure to scale in response to a large DDoS attack, so has a security solution instead: the cloud-based Kona Site Defender, which can defend against most common types of DDoS attacks plus attacks against web applications and direct-to-origin attacks.
Kona Site Defender mitigates DDoS attacks by absorbing DDoS traffic targeted at the application layer, deflecting all DDoS traffic targeted at the network layer such as SYN Floods or UDP Floods, and authenticating valid traffic at the network edge. This built-in protection is always on, and only Port 80 (HTTP) or Port 443 (HTTPS) traffic is allowed. Bursting fees can be capped so users are protected from DDoS traffic running up service fees, and flexible caching maximises offload from origin.
For added protection, many organisations add a defence layer that protects the Domain Name Server from being overloaded and compromised by denial of service attacks, such as Akamai’s Fast DNS solution, the company adds.
Parks Associates hosted a webcast this week looking at best practices for IoT security and privacy. You can still hear the discussion here.
Videonet published a report recently called, ‘Securing Video Analytics Data to Enhance Pay-TV Profitability’ and you can download that here.
TalkTalk data breach fine could have been 175 times bigger under new Euro legislation, law firm warns. Read story.
Jon Carter, UK Head of Business Development, Connected Home at Deutsche Telekom AG, talks about the value of consumer trust in companies like his when it comes to data privacy, here.