The best way of protecting us from Internet of Things botnets is to compartmentalise the entire internet, Intel’s chief architect for IoT security solutions has said.
Sven Schrecker, speaking exclusively to The Register at IoT Solutions World Congress in Barcelona, also branded the potential impact of IoT botnets as ‘“devastating”, warning that the Krebs website attack was just the tip of the iceberg.
So far IoT botnet miscreants have employed “quiet exploitation followed by loud exploits,” Schrecker said. “They’re just making it difficult for internet services to function.”
If the operators behind these IoT-enabled botnets were to “point them at industry” instead of smaller targets such as individual journalists’ websites, as happened with infosec researcher Brian Krebs, the impact on the world economy could be “devastating”, he added.
The recent high-profile IoT botnet DDoS attacks have, so far, avoided using traditional traffic amplification techniques such as DNS reflection because consumer-grade IoT devices are so easily hacked en masse. This makes it much harder for DDoS mitigation services to cope, as was seen when Akamai threw Krebs off its network with two hours’ notice.
An attack against infrastructure would quickly harden legislators’ attitudes towards the IoT, Schrecker warned, giving them a “very strong will to alter” existing light touch governmental security mandates.
Is self-regulation an option before the same sharp minds that gave us the EU cookie directive omnishambles set their sights on the IoT? Schrecker was quietly confident, though he hedged his bets: “We have the makings of a standard for IIOT [Industrial Internet of Things, the new-fangled term for what used to be called M2M]. If that works, it can go to IoT. Setting standards is not a quick process but consolidated industry opinion saying the same thing, that’s much more strengthened.”
As for coping with the threat we face now, courtesy of millions of pathetically insecure consumer IoT devices, Schrecker’s proposed solution sounds elegantly simple, in theory at least: “Distribute, for example, gateways. Edge gateways that can contain a DDoS and are smart enough to talk to each other and help contain them that way.”
Gateways “can then be updated” in lieu of individual device owner-operators having to do it themselves, “defeat vulnerabilities, contain botnets, and even notify owner-operators.”
Again, it sounds great on paper. As Schrecker warned, however, until there’s a major IoT DDoS that affects something people care about - financial services rather than cloud-based pet-feeding apps - there’ll be no public will to harpoon the Moby Dick that is IoT security. ®