Insights

Security in IoT: What It Is and Why It Matters

Stephen Blum on May 8, 2018
Security in IoT: What It Is and Why It Matters

IoT security has been a predominant topic of discussion, both for IoT businesses and their end users, for the last decade. Several widely publicized incidents demonstrated how easy it was for unsecured IoT devices to be manipulated for malicious intent. These incidents brought gravitas to the conversation, highlighting the need for a better standard of security in IoT.

Dyn DDoS Attack and How It Happened

One of the most concerning breaches was the Dyn distributed denial of service (DDoS) attack in the fall of 2016, which targeted a security vulnerability in a bunch of baby monitor cameras. Since these devices could be seen consumer-to-consumer (C2C) at the command and control server level (a somewhat PubNub-like service that was not secure), those pathways were left open. When the attack hit, this vulnerability was leveraged to take over every single one of these devices to form a botnet. The botnet then proceeded to start spamming a bunch of UDP datagrams over Port 53. This flooded Dyn’s DNS network, taking them down completely and preventing users from accessing sites like Netflix, Twitter, Amazon, and thousands of other major websites.

What happened was, when the attack flooded Dyn’s servers, they were shut down. As a result, users could no longer access the IP address of websites for apps and other things like that, things that would allow you to visit Twitter.com or order a taxi. Chaos ensued, which was surely the intent.

That one incident destroyed Dyn. It tanked their reputation and that of all the businesses connected to it. All due to insecure IoT device connectivity. As one attack was mitigated, another began. Further compounding the situation, the DNS protocol made distinguishing legitimate traffic from malicious traffic difficult. The first attack prompted a flood of legitimate “retries” as servers attempted to refresh their caches. This amplified the traffic volume exponentially, preventing Dyn from accurately identifying the endpoints.

In the end, it was concluded that there were an estimated 100K endpoints and that the attack came from Mirai botnets. Now, Dyn has rebranded as Oracle, but not without significant damage, both financial and otherwise.

IoT Devices Will Attack the Internet

On the plus side, this incident started a significant discussion and much innovation around the security of IoT and how this could be approached on a more standardized basis. One of the most concerning discoveries was that the IoT devices used in the attack were targeted because they still had their default (factory) passwords stored. This allowed the attackers an easy in as they only had to include those sign-in credentials in the code. Once the source code had been identified, it was ascertained that it contained default credentials for more than 60 different IoT devices.

The takeaways were many-layered but largely positive. At least, for everybody except Dyn. (As an analogy, consider that the rearview mirror was invented after the first Indianapolis 500 race. Think about it).

Lessons on IoT Security

First, companies learned that having a secondary DNS provider is a good idea in case of any future attacks. Second, one could assume that it would underscore the importance of changing passwords upon powering up a new IoT device, but that is something that is entirely in the hands of the end user… so, largely, uncontrollable.

The potential for DDoS attacks that are as devastating as the Dyn incident still remains, but at least with regard to the threats we do know about, we can prepare. As our dependence on IoT grows—in business and manufacturing in addition to our personal lives—there is still great potential for harm to be done. A more secure internet, stronger security and stability in IoT device development, and ongoing vigilance are indicated.

Is PubNub addressing IoT security Concerns?

Even before the disastrous Dyn breach, PubNub has always had a primary focus on security. Their network is secure, tunneled through transport layer security (TLS), and encrypted. The TLS establishes a secure platform that offers complete privacy and data integrity between two communicating devices or applications. TLS is the most common internet security protocol in use today. It is leveraged by browsers or any application that needs to transfer information safely and securely, like instant messaging, chat, VoIP, and VPN connections.

The way PubNub makes this technology available to their customers is through a software developer kit (SDK), which is activated on the device when the app is initialized. In fact, this security feature has been standardized across all PubNub based applications from the very start and not simply as a response to growing security concerns. Though admittedly, they do not do a lot of marketing in the IoT sphere, the solution was ideal and timely, prompting many IoT innovators to choose PubNub as their platform of choice.

Security is our number one concern. Following the Dyn security event, they had some noteworthy visitors:

We’ve had some interesting communication from the United States government, prompting them to visit us onsite to talk about this issue specifically. They realize that a lot of IoT vendors are using unsecured networks and they wanted to make sure that we were aware of the landscape. They gave us a whole bunch of tips and tricks, which, as it turns out, we were already using. After the D Day of the Dyn DNS takedown, we started seeing a ton of customers coming to us specifically for our security.

From a developer standpoint, the big benefit of using PubNub is that by adopting their data streaming network, all the security essentials they need are available right out of the box.

PubNub is compliant with a range of security legislation that includes HIPAA and the GDPR. It also supports geographical limitations as to where messages are stored, due in large part to the availability of their data centers all over the world.

Since all connections are outbound from the client, there are no open inbound ports required. Regional attacks are avoided using a system of intelligent data center routing protocols.

PubNub uses point-to-point TLS network encryption (encrypts messages in transit) and AES encryption, a protocol that is used by the United States government to encrypt sensitive messages and classified information.

Leveraging these and various other security features, PubNub allows their clients to separate multiple channels, giving them access to any device, user, channel or key on the network. If any malicious activity is detected, the endpoint can be isolated and shut down immediately without disrupting the rest of the network.

Combined, these protocols are a powerhouse of next generation security. And though they are certainly not specific to IoT, they are making the technology better, more reliable, and more viable as a life enhancing product, which is exactly what it’s meant to be.

Competition in this space continues to mount, but insofar as PubNub is a pioneer that has always demonstrated their commitment to a long range vision, it’s difficult to imagine a new player who could approach the same problems with as much passion and creativity. It would seem that we have imagined every possibility long before it was a sparkle in anybody else’s eye.

Cutting Edge Security

Not content to rest on their past accomplishments, PubNub continues to innovate new solutions and applications around the things they do best, but security is always at the forefront of every new initiative. If the name of the game is “let’s make this as easy as possible and deliver top quality and security from end-to-end”, then they, and by proxy, their clientele, are already well ahead of the curve.

From the end user, and for all the developers in between, PubNub is providing working solutions that make our lives better. Whether you realize it or not, they have already made a difference in how we see the world, the internet, and all the ways in which we connect to it. By strengthening confidence in the security of our connected devices, it will encourage companies to innovate, bring new products to market, and create a spectacular future. One that puts the “fun” back in function, while bringing our wildest imaginings into sharp focus, proving decisively that, with the right supports, anything is possible.