DDoS robots for the masses: IoT security comes of age

Why patch that old router firmware at your mom’s house? Because it can become a digital soldier enlisted by bad guys to break the internet. Don’t worry, it’s not all your fault and you’re not alone, but millions of those old routers can be turned into zombies and start swamping the internet and target someone like our friend Brian Krebs’ website with a barrage that would cripple all but a few. Now, IoT security starts to matter.

Over the past few years, we’ve been asked why lightly protected IoT devices mattered in the big picture. After all, many devices that are internet connected don’t contain your health records, credit card details or where your kids go to school. But, as we’ve seen, when coupled with the rapidly expanding speed of home internet connections, often five times faster than what they were a few years back, a relatively modest group of enlisted routers shouting random junk messages can amplify very quickly and clog up huge digital pipes to the point of becoming unusable.

And if it works once for the bad guys, you can be sure you’ll see it again. Remember when we warned years back about the increase in smartphone attacks to come? This is that for the IoT.

Unlike your traditional computer, and increasingly your smartphone, most of the IoT devices out there have no predictable patch and update cycle. While you may get important patches on a Tuesday for your PC, for example, when’s the last time your home router got an update automatically? When’s the last time they were patched manually? Ever?

"For almost all of the millions of other IoT devices people buy in droves – there’s effectively no patching that matters at scale."

The same is true for almost all of the millions of other IoT devices people buy in droves – there’s effectively no patching that matters at scale.

While the auto manufacturers have levied significant resources toward addressing and fixing things going forward in that segment, there’s not only nearly zero budget for router manufacturers to ramp something like this up, but the uptake rate for auto-patches would be appalling. And since routers last until your power lines get struck by lightning, their replacement rate is staggeringly low.

I have a gas tank issue in my Jeep Grand Cherokee that could result in big problems if left unfixed. There’s a recall that’s been issued. I’m very grateful they’ve taken those steps, happy they’ve been proactive, and I’d happily buy another. But I’ve done nothing to bring it in for free replacement. Yeah, I know, I’m negligent. But I’m not alone, or anything close to it. And this is for a car that is worth hundreds of times more than an old home router – yet I still can’t be bothered.

In any new technology segment with rapid adoption like IoT, the scammers aren’t far behind, and they’re looking for that “killer app” and then trying to maximize their return on investment for development costs by using it as long as possible. We’re on the front end of this trend, and the big network operators, software folks and a host of others will have to deal with this very soon, because it’s too easy and tempting, and that is usually a recipe for disaster. Let’s fix this.