IoT Security, Botnets, and You
Last Friday and Saturday (October 21st and 22nd, 2016), a massive Distributed Denial of Service (DDoS) attack was launched against large parts of the Internet’s Domain Name Service (DNS) infrastructure. The sheer scale of this attack led to widespread slowdowns and outages to large parts of the Internet until it was mitigated.
How did this happen?
The key to a DDoS attack is the distributed part. A regular Denial of Service attack has two big flaws: it is easier to block an attack from a single source and the attacker becomes exposed when the attack commences. Networks of compromised machines, or botnets, spread across the planet, grow by exploiting security flaws and collect large numbers of computers into an army, controlled by the person exploiting the security hole. Botnets are used to steal credit card numbers, send spam email, and launch DDoS attacks.
In the past, botnets were largely comprised of laptop and desktop computers, devices, which despite having lax security, were usually used by a human on a regular basis. People would notice their computer “getting slow” or “crashing” and take it in to be “repaired,” or they’d replace it. In either case, the user would usually eventually notice the problem and take some corrective action. We have also seen great improvements in automatic updates, operating system security and even anti-virus software on conventional computer platforms. With the growth of embedded and unattended computing, or the IoT, a device being compromised and made part of a botnet becomes harder to notice. These IoT devices can also require manual firmware updates, which many users will fail to do once the device is deployed and working as expected. Hey, if it ain’t broke, don’t fix it. IoT devices are also likely to remain online all day long, as compared to desktop and laptop computers which may be shut off at night or carried on a commute. Finally, due to the sheer number of IoT devices on the market and manufacturer inexperience with network security, many common security flaws get overlooked.
All of this leads to the mess we saw last week. A large botnet of IoT devices, created by exploiting factory-default login credentials, was used to bring the DNS infrastructure to its knees. Because these IoT devices were deployed all over the world, on many ISP networks, it became much more of a challenge to mitigate than if it was constrained to one region or provider. The manufacturer of the majority of the devices involved in this attack patched the security hole over a year ago, in September 2015. However, administering the patch was a manual process on the behalf of the sellers and users (if they even knew it existed), leaving the devices at the will of malicious actors.
At Helium, we try to think about these things a little differently. For starters, none of our devices use passwords, ever. Every Helium-based device has a uniquely programmed Hardware Security Module (HSM). This allows our infrastructure to securely communicate with a device in the field from the first time it’s powered on – no passwords needed. We also believe that the network is only as good as its weakest link, so we deploy updates to the Helium hardware in the field on your behalf, so you don’t have to worry about keeping fleets of hardware up to date. Finally, our Element Access Point does not accept ANY inbound connections; it only originates outbound connections to trusted Helium infrastructure. Every communication with the gateway, and the Helium devices behind it, occurs over this link which, again, is secured with HSM keys. Helium centralizes data storage, updates, authentication and configuration in one place that we secure and monitor on our users’ behalf so they can focus on building their solutions, not on their IoT infrastructure.
Want to Learn More About Helium? Talk to us!
If you’re interested in finding out more about Helium, visit www.helium.com for an overview of our products.
Development kits and all necessary hardware to start building connected products can be purchased at store.helium.com.
Join our Slack community at chat.helium.com and speak directly to the Helium team as well as other Helium developers.
If you’d like to discuss an upcoming project with us, let us know and we’ll get in touch soon.