The (In)Security of IoT

In October, one of the signature security events in the history of the internet occurred. Dyn, the well-known cloud-based internet performance management company, suffered a massive DDoS attack on its managed domain name server infrastructure. The impact was widespread.

Dyn quickly confirmed the Mirai botnet was the primary source attacking “10s of millions of discrete IP addresses.” And among the 6,000 websites affected were some of the biggest names in business. Twitter. CNN. Amazon. PayPal. The New York Times. All were inaccessible to many netizens for a good chunk of the day.

To be sure, DDoS attacks in and of themselves are not new. But how the Mirai botnet executed the attacks was unprecedented: Internet of Things (IoT) devices were leveraged as attack vectors.

From Nest and Echo to DVRs and wearables, internet-enabled devices hold the promise to simplify our ever-increasingly interconnected lives. But as we’ve seen in the (very recent) past, functionality always seems to win out over security. The Nissan Leaf hack from earlier this year is one of the most high-profile examples underscoring that very point.

API (In)Security

APIs are ubiquitous. From mobile and cloud computing to SDN and yes, IoT, APIs provide the foundation for today’s computing infrastructure. However, from a security standpoint, APIs are all too often overlooked and underprotected. And the Nissan Leaf hack exemplified how companies in the “API economy” are providing services to consumers on APIs which are susceptible to hacking and malicious access.

In that case – and with API-targeted digital security more generally – the necessary information to thwart such an attack is at the API itself: the identity of the sender; the API payload data; and the source of the client making the request. Effective API security involves inspecting the communication exchange and combining policy checks such as identity authentication of the client; integrity checks of the messages; and validation of the source of the communication.

Notably, API security is an essential aspect of exposing APIs, since it combines the policy enforcement at the same point of API communication enablement. This is where API security gateways like Forum Sentry play a critical role.

But what can the IoT industry do to bolster the inherent security of their devices?

Deploying API Security Gateways

There’s no question that the open source, agile and DevOps movements have transformed software development and IoT is creating a landscape of interconnected device intelligence. These advances have pushed the envelope on the security vulnerabilities which connected APIs are susceptible. Innovation has long outpaced security, but it is increasingly important that both innovation and security be considered at the same level of business value. Just as the technology sector was driven to close the security gap for web applications in Web Application Firewalls (WAFs), today the industry has been driven to close the security gap for APIs using API Security Gateways. It is fortunate that this technology is available to do the job, but it can’t do the job if it’s not in the solution architecture.

As we look toward 2017, we hope that API security is (finally) given the same priority as is a rich feature set and enhanced connectivity.

Organizations like the Internet of Things Security Foundation are championing this sentiment. The group “promotes knowledge and clear best practices in appropriate security to those who specify, make and use IoT products and systems.” In fact, just a few weeks ago, the IoTSF published its IoT Security Compliance Framework.

Bravo. We hope this is a harbinger of more secure (Internet of) Things to come in the New Year.