In October 2016 the world received a harsh wake-up call about the importance of IoT security, says Shane Buckley, CEO of Xirrus.
The trigger? A catastrophic distributed denial-of-service (DDoS) attack that created a massive Internet outage for millions of users on the east coast of the United States. The attack disrupted many popular websites such as Netflix, Twitter and Paypal.
An investigation revealed that the method behind the hack involved infecting thousands of connected devices with unchanged default passwords. Routers, surveillance cameras and other IoT devices with unchanged default passwords were infected to form a botnet that launched a denial-of-service attack on Dyn, a major internet services provider.
Increasing IoT awareness
The aftermath of the attack highlighted the challenges posed by IoT devices. With Gartner predicting the number of IoT devices will grow to more than 20 billion by 2020, the focus on IoT security is becoming increasingly important.
Organisations and users face two primary challenges when it comes to secure deployment of IoT devices. They must have the ability to connect to Wi-Fi in a simple manner, given their mass numbers, and then remain secure once connected.
Given that adding more security features to a network tends to reduce the simplicity of connecting devices, it can be difficult to achieve both goals simultaneously. Fortunately, there is a way to keep both pillars structurally sound.
Public Wi-Fi networks that are encrypted typically use shared passwords, providing a false sense of security. While virtual private networks (VPNs) provide an appropriate secure solution, they add complexity, cost, and time – meaning most users won’t bother.
To connect IoT devices securely to a Wi-Fi, an ‘IoT-aware’ network runs ‘User Pre-Shared Key’ (UPSK) technology. Simply put, this creates a new UPSK for each device, ensuring every device has unique security credentials within the network, and security credentials never get openly shared. Most IoT devices do not have keyboards or browsers, and cannot connect to traditional captive portals to enter their security information.
Controlling the network
Very few public Wi-Fi networks protect user data. The networks simply do not encrypt the Wi-Fi data, opening up a myriad of security risks if the user is not taking appropriate precautions. Hackers can intercept user data and if it is not encrypted, steal passwords, credit card information, company data, and more.
An ‘IoT-aware’ Wi-Fi network uses Application Control (Deep Packet Inspection) technology. The traffic control process starts by feeding this application intelligence into the policy engine. Once in action, the engine works to identify and classify IoT devices by type.
The network can then enforce firewall rules on devices according to their type (sensor, appliance, etc.). Meanwhile, the network also implements policies that control the application(s) each device uses, through methods like prioritisation, bandwidth throttling, and blocking controls.
The IoT security balance
The two pillars of simple access and security must work in unison. The first provides a simple way to securely connect devices to the Wi-Fi network, while the second ensures only the IoT application can traverse the Wi-Fi network from the IoT device to the server.
Combined, these two pillars could have prevented the DDoS attack last October that originated from Wi-Fi enabled IoT devices. Even with default passwords in place, the malware could not have communicated to the Dyn servers while the application rules were in effect, which would have eliminated the malware’s impact. To safely unleash the full power of the IoT world, we need to start with smart Wi-Fi that keeps us both connected, and secure.
The author of this blog is Shane Buckley, CEO, Xirrus
Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow